Green padlock symbol doesn't guarantee security. So what does?

Recently, the NOS reported the results of an analysis of thousands of websites from four blacklists. One finding was that 4,300 of the sites were using 'green padlocks' to show that they had valid SSL certificates. According to the NOS, the green padlock symbol suggests that a site is secure, when that isn't necessarily the case. The analysed websites were already blacklisted, but would previously have been trusted by many consumers. So, if you can't put your trust in the padlock, where do you look for reassurance? And what can a website manager or webshop proprietor do to promote confidence?


Crooks abuse green padlocks

Internet users are often advised to look for the green padlock, because it supposedly shows that a website is secure. After all, installing an SSL certificate has traditionally been expensive and time-consuming, and therefore unattractive to crooks. Nowadays, however, certification is a cinch with a free tool such as LetsEncrypt. The downside of that convenience is that internet scammers have started using green padlocks to make themselves look trustworthy. Visitors see the familiar icon, drop their guard and assume that it's safe to use the site or shop.

Extended validation is best

"It's important to change the way people view the green padlock," says Pim Pastoors, Product Manager at SIDN. "It doesn't guarantee that the website content is secure. Only that the connection is secure. So, for example, you can enter private information on the site without worrying that someone might read it on the way from your PC to the server. I would advise businesses and webshops to go for extended validation (EV) certificates. An EV certificate is issued only after thorough vetting. The applicant has to provide full company details and show that they really are acting for the company in question. Even when visiting a site with an EV certificate, a user should look critically at the content, but you can have more confidence about the site itself. It's only with an EV certificate that both the company name and the green padlock appear in a browser's address bar, and the user can be sure that they're on the right company's site.

Only one of the Netherlands' ten leading news sites has an EV certificate

"We recently found that, out of the country's ten biggest news sites*, just one had an EV certificate," continues Pim. "With so much fake news around these days, you would expect news outlets to be keen to show how trustworthy they are."

news sites EV certificate no yes no no no no no no no no

* ‘De 80 grootste websites en meest gebruikte apps van Nederland’, ('The 80 biggest websites and most used apps in the Netherlands'),, consulted on 6 June 2018

Adding a green padlock to a fake website is easy

As well as looking for the green padlock, internet users are advised to check a site's domain name. Even then, there are pitfalls. Crooks often register domain names that are barely different from those used by legitimate organisations. To show how easy that is, the NOS registered the domain names '', '' and '' without being challenged. It's easy to see how those names could be used to trick people looking for the genuine bank log-in pages '' and ''. Especially when used with valid SSL certificates. Distinguishing between legitimate and scam domain names can be hard, and a green padlock doesn't tell you which is which.

It pays to actively monitor your domain name

"The banking industry has now got its house in order," Pastoors clarifies. "Most banks proactively monitor their domain names, enabling them to act quickly if someone registers a name similar to their brand. However, the majority of corporates, government agencies, smaller companies and webshops aren't so alert, and scammers take advantage of that. One good way to monitor your domain name is by subscribing to our Domain Name Surveillance Service. A lot of people imagine that monitoring is expensive, but it isn't really. There are suitable and affordable options for organisations of all kinds. And the cost of monitoring has to be weighed up against the potential reputational and financial cost of not monitoring."



Pim Pastoors


+31 6 570 454 07

  • Thursday 23 May 2019

    About SIDN

    SIDN Fund helps ten more Pioneer Projects get started

    Thumbnail SIDN fonds

    New wave of internet initiatives unveiled

    Read more
  • Wednesday 27 March 2019


    Join the SIDN Panel!


    Give your opinion about internet or internet use

    Read more
  • Thursday 15 November 2018

    About SIDN

    Maintenance website 15-11-2018 and 29-11-2018


    The website is temporarily unavailable while maintenance is carried out.

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.