Green padlock symbol doesn't guarantee security. So what does?

How can you show that your website is trustworthy?

Recently, the NOS reported the results of an analysis of thousands of websites from four blacklists. One finding was that 4,300 of the sites were using 'green padlocks' to show that they had valid SSL certificates. According to the NOS, the green padlock symbol suggests that a site is secure, when that isn't necessarily the case. The analysed websites were already blacklisted, but would previously have been trusted by many consumers. So, if you can't put your trust in the padlock, where do you look for reassurance? And what can a website manager or webshop proprietor do to promote confidence?


Crooks abuse green padlocks

Internet users are often advised to look for the green padlock, because it supposedly shows that a website is secure. After all, installing an SSL certificate has traditionally been expensive and time-consuming, and therefore unattractive to crooks. Nowadays, however, certification is a cinch with a free tool such as LetsEncrypt. The downside of that convenience is that internet scammers have started using green padlocks to make themselves look trustworthy. Visitors see the familiar icon, drop their guard and assume that it's safe to use the site or shop.

Extended validation is best

"It's important to change the way people view the green padlock," says Pim Pastoors, Product Manager at SIDN. "It doesn't guarantee that the website content is secure. Only that the connection is secure. So, for example, you can enter private information on the site without worrying that someone might read it on the way from your PC to the server. I would advise businesses and webshops to go for extended validation (EV) certificates. An EV certificate is issued only after thorough vetting. The applicant has to provide full company details and show that they really are acting for the company in question. Even when visiting a site with an EV certificate, a user should look critically at the content, but you can have more confidence about the site itself. It's only with an EV certificate that both the company name and the green padlock appear in a browser's address bar, and the user can be sure that they're on the right company's site.

Only one of the Netherlands' ten leading news sites has an EV certificate

"We recently found that, out of the country's ten biggest news sites*, just one had an EV certificate," continues Pim. "With so much fake news around these days, you would expect news outlets to be keen to show how trustworthy they are."

news sites EV certificate no yes no no no no no no no no

* ‘De 80 grootste websites en meest gebruikte apps van Nederland’, ('The 80 biggest websites and most used apps in the Netherlands'),, consulted on 6 June 2018

Adding a green padlock to a fake website is easy

As well as looking for the green padlock, internet users are advised to check a site's domain name. Even then, there are pitfalls. Crooks often register domain names that are barely different from those used by legitimate organisations. To show how easy that is, the NOS registered the domain names '', '' and '' without being challenged. It's easy to see how those names could be used to trick people looking for the genuine bank log-in pages '' and ''. Especially when used with valid SSL certificates. Distinguishing between legitimate and scam domain names can be hard, and a green padlock doesn't tell you which is which.

It pays to actively monitor your domain name

"The banking industry has now got its house in order," Pastoors clarifies. "Most banks proactively monitor their domain names, enabling them to act quickly if someone registers a name similar to their brand. However, the majority of corporates, government agencies, smaller companies and webshops aren't so alert, and scammers take advantage of that. One good way to monitor your domain name is by subscribing to our Domain Name Surveillance Service. A lot of people imagine that monitoring is expensive, but it isn't really. There are suitable and affordable options for organisations of all kinds. And the cost of monitoring has to be weighed up against the potential reputational and financial cost of not monitoring."



Pim Pastoors


+31 6 570 454 07

  • Wednesday 31 October 2018

    SIDN Labs

    The internet needs standards. What is SIDN Labs doing to help?


    Internet Engineering Taskforce (IETF) and SIDN Labs

    Read more
  • Wednesday 22 January 2020

    SIDN Labs

    SIDN Labs' experimental DoH server


    New system helps us keep abreast of how the DoH standard is developing. Give it a try!

    Read more
  • Monday 25 February 2019

    Internet security

    How eIDs are improving security on the Danish internet


    Fighting cybercrime with eIDs

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.