Why HTTPS Does Not Always Mean a Website Is Safe
HTTPS protects a connection, but it does not prove a website is legitimate. Here is how to read the signal correctly.
HTTPS protects transport
HTTPS helps prevent outsiders from reading or modifying traffic between your browser and the site. That is important, but it answers only one question: is the connection encrypted?
Attackers can use HTTPS too
Modern phishing sites can obtain certificates and show a padlock. A secure connection to a fake site is still a fake site.
The domain still matters
Always check whether the domain matches the service you expected. A padlock on an unrelated domain does not make a login page trustworthy.
Use HTTPS as one signal
A non-HTTPS final destination is a caution signal. An HTTPS final destination is better, but it should be combined with domain, redirect, and context checks.
What CheckLink checks
CheckLink notes whether the final destination uses HTTPS and combines that with other risk signals. It does not treat HTTPS as a guarantee.
Checklist
FAQ
Does HTTPS mean a site is legitimate?
No. HTTPS means the connection is encrypted, not that the operator is trustworthy.
Is HTTP always dangerous?
Not always, but it is a weaker signal and deserves caution when sensitive information is involved.
Related guides
Use CheckLink before the next click
CheckLink provides risk signals and review paths. It does not guarantee that a website is risk-free.