How to Tell If a Website Is Secure: 2026 Browser Guide

The padlock icon most people learned to trust is gone from Chrome, and the signals browsers use today are subtler. This guide covers what actually confirms a site is secure in 2026, how to inspect a certificate in any major browser, what mixed content looks like, and the difference between a secure connection and a trustworthy business.

Table of Contents

How Can You Tell if a Website is Secure?

Start with three checks. First, the URL begins with https:// and not http://. Second, the browser is not showing a “Not Secure” warning next to the address bar. Third, when you click the site settings icon in the URL bar, the certificate details show the correct domain name and an active expiration date.

Those three checks confirm that traffic between your device and the server is encrypted. They do not prove the site is run by a legitimate business. Encryption and legitimacy are separate questions, and the rest of this guide covers both.

What Happened to the Padlock Icon in Chrome?

Google retired the padlock in Chrome 117, which rolled out in September 2023. A small “tune” icon that looks like two horizontal sliders took its place. According to Chrome Security Team research cited in the announcement, only 11% of users correctly understood what the padlock actually meant, and roughly 89% assumed it signaled trustworthiness rather than encryption.

That mismatch was a real problem. Nearly every phishing site in 2026 uses HTTPS and a valid certificate, so a padlock on a fake PayPal login told users nothing useful. Google’s stated goal was to stop rewarding sites for having encryption, which is now the baseline, and to focus the UI on flagging genuinely unsafe pages.

On iOS, Chrome removed the icon entirely because it was never clickable there. Safari, Firefox, and Edge still display a lock or similar glyph, though each browser uses slightly different visual cues.

How Do Different Browsers Show Site Security Today?

Quick reference for the four browsers most people use:

Google Chrome and Chromium-based browsers: A tune icon (two horizontal sliders) sits at the left of the URL bar. Clicking it opens certificate details, permissions, and cookie settings.
Mozilla Firefox: A padlock icon is still present. A gray lock with a diagonal strike, or a warning triangle, indicates a problem with encryption or mixed content.
Safari: A padlock icon appears for standard HTTPS pages. Clicking it reveals the certificate issuer and details. Safari also shows “Not Secure” text inline for HTTP pages that accept input.
Microsoft Edge: Similar to Chrome, with a tune-style icon that opens a permissions and connection panel.

The signal that matters most across all of them is the warning, not the reassurance. If you see the words “Not Secure,” a red strikethrough on HTTPS, or a triangle with an exclamation mark, the browser is flagging a real problem.

How Do You View a Site’s SSL Certificate Details?

Every major browser exposes the certificate in two or three clicks.

Click the small icon at the left of the URL bar (padlock, tune icon, or lock variant depending on the browser).
Choose “Connection is secure” or equivalent wording.
Select “Certificate is valid” or “View certificate.”

Four pieces of information are worth checking on the certificate panel:

Issued to: The domain name. It should match the site you are on. A certificate issued to secure-login.example-mail.co when you think you are on gmail.com indicates the site is impersonating a brand.
Issued by: The certificate authority. Common CAs include Let’s Encrypt, DigiCert, Sectigo, Google Trust Services, and GlobalSign.
Valid from / Valid until: Current dates, with the expiration in the future.
Subject Alternative Names: Other domains the certificate covers. Useful when verifying wildcard or multi-domain certs.

If the certificate is expired, revoked, or mismatched, the browser will usually block the page before you ever see the certificate panel and display a full interstitial warning instead.

What Does “Not Secure” Mean in Your Browser?

“Not Secure” appears for two main reasons. Either the page is loading over plain HTTP with no encryption at all, or the HTTPS connection failed a validation check.

Plain HTTP pages are rare in 2026. When they do appear, any data you submit, including login credentials, search queries, and credit card numbers, travels across the internet in cleartext. Anyone on the same network can read it with basic tooling.

A failed HTTPS connection usually means one of the following:

The certificate has expired.
The certificate was issued for a different domain than the one in the URL bar.
The certificate chain is broken or signed by an untrusted root CA.
The site is using deprecated protocols like TLS 1.0 or TLS 1.1.

Any of these warrants closing the tab rather than clicking through. Browsers offer an “Advanced” or “Proceed anyway” option for a reason, but it should almost never be used on sites where you plan to enter personal information.

What is Mixed Content and Why Does It Matter?

Mixed content is the most common reason a site’s security indicator looks wrong. It happens when an HTTPS page loads at least one resource (an image, script, stylesheet, font, or iframe) over plain HTTP.

There are two variations:

Passive mixed content: Images or media loaded over HTTP. Modern browsers often auto-upgrade these requests to HTTPS or block them silently.
Active mixed content: Scripts, stylesheets, or iframes loaded over HTTP. Browsers block these outright because a compromised script can rewrite the entire page.

For visitors, the visible result is a broken security indicator, a “Not fully secure” label, or missing images and styling. For site owners, the fix is almost always replacing hardcoded http:// references in theme files, plugins, or database entries with https:// or protocol-relative URLs.

Why HTTPS Alone Does Not Prove a Site is Trustworthy

This is the harder point. A site can have a perfectly valid certificate and still be a scam.

Free certificate authorities like Let’s Encrypt made SSL/TLS accessible to everyone, which was a net gain for the open web. The side effect is that fraudsters can also get a trusted certificate for a typosquatted domain in about five minutes. The FBI and other agencies have repeatedly warned that the padlock icon, or any secure-connection indicator, should never be treated as proof of legitimacy.

Encryption confirms that data between your browser and the server is private. It says nothing about whether the server belongs to the company you think it does, whether the business is real, or whether your payment will result in a product showing up.

What Are the Warning Signs of an Unsafe Website?

Encryption aside, several signals tend to appear together on fraudulent or compromised sites:

A domain name that is almost, but not quite, a familiar brand: amaz0n-support.com, paypal-verification-center.net, apple-id-recover.co.
Pressure tactics in the content, including countdown timers, all-caps warnings, and threats that an account will be locked in minutes.
Requests for information a legitimate site would never ask for, such as a Social Security number on a package tracking page.
Poor spelling and broken formatting, especially on login pages or payment forms.
Payment methods limited to gift cards, cryptocurrency, or wire transfers.
No physical address, no working contact information, or a business registered days ago.
Redirects that bounce you through several domains before landing on the final page.

Any one of these in isolation warrants caution. Two or more appearing together on a site handling your money or personal data should stop the transaction.

How Can You Check a URL for Phishing or Malware?

Browsers already run real-time checks against databases like Google Safe Browsing and Microsoft SmartScreen. If a URL is flagged there, the browser will display a full red warning page before the site even loads.

For a second opinion, three free tools are useful:

Google Safe Browsing Site Status: Paste any URL to see if Google has flagged it recently.
VirusTotal: Submits the URL to roughly 70 antivirus and domain-reputation engines at once.
URLVoid or ScamAdviser: Domain reputation tools that aggregate blocklists and WHOIS age data.

WHOIS registration details on the domain itself are worth a quick look. A “bank” registered three weeks ago with a privacy-protected registrar in a country unrelated to its stated business is not a bank.

What to Do if Your Own Website Shows as Not Secure

For site owners, a broken security indicator is almost always one of four problems:

No SSL certificate installed, or the site is still being served over HTTP. The fix is installing a certificate and forcing HTTPS at the server or .htaccess level. Most hosts, including InMotion Hosting, provide free Let’s Encrypt SSL on every plan.
Expired or mismatched certificate. Let’s Encrypt certs auto-renew every 90 days in most setups, but renewal can fail when the ACME client is misconfigured or a domain changes. Log in to cPanel or your hosting control panel and reissue the certificate.
Mixed content in page code or the database. On WordPress, a plugin like Better Search Replace can rewrite old http:// references across the database in one pass. Theme files and hardcoded URLs in custom templates need manual review.
CDN or reverse proxy misconfiguration. If the site uses Cloudflare or a similar service, SSL mode has to be set to “Full” or “Full (strict)” so traffic is encrypted on both legs, not just between the visitor and the CDN.

If the site runs on managed hosting, support can usually identify which of the four is responsible in a few minutes. For deeper code-level mixed content issues in custom themes or large ecommerce stores, professional services can audit and clean the site.

When Should You Close the Tab and Leave?

Three situations where continuing is a bad idea, regardless of the offer on the page:

A full-page browser warning about an expired, invalid, or untrusted certificate on a site asking for login credentials or payment.
A domain that does not match the brand it claims to be, especially after clicking a link from an email or text message.
A page that demands payment in gift cards, crypto, or wire transfer before any service is delivered.

The lock icon is no longer the signal to watch in 2026. What matters is the absence of warnings, a certificate that matches the domain you expect, and site behavior that is consistent with a legitimate business. Encryption is now expected everywhere. Judgment is still the deciding factor.

Need help securing your own website? InMotion Hosting includes free SSL on every hosting plan and provides 24/7 human support that can diagnose certificate, mixed content, and redirect issues in a single session. Explore our hosting plans.

Share this Article