The Truth Behind the Browser Lock Icon
The lock icon in your browser's address bar does not mean "this site is safe." It means "your communication with this site is encrypted." The technology behind that encryption is the digital certificate.
Phishing sites display the lock icon too. The lock indicates transport security, not site trustworthiness. Understanding this distinction requires knowing how digital certificates work.
What Is a Digital Certificate?
A digital certificate is a website's identity document. Just as a passport proves your identity with government backing, a digital certificate proves a domain's authenticity with backing from a Certificate Authority (CA).
A certificate contains:
- Domain name: The domain the certificate is valid for (e.g., kakunin-ip.click)
- Public key: Used for establishing encrypted communication
- Issuer: The Certificate Authority that issued it
- Validity period: Currently limited to a maximum of 398 days
- Digital signature: The CA's tamper-proof signature
What Happens During an HTTPS Connection
When your browser connects to an HTTPS site, a TLS handshake completes in 0.1-0.3 seconds:
- Certificate presentation: The server sends its digital certificate to the browser
- Certificate validation: The browser checks the expiration date, domain name match, and CA signature
- Trust chain verification: The browser confirms the issuing CA is in its built-in list of trusted root CAs
- Key exchange: Upon successful verification, a shared encryption key is securely exchanged
- Encrypted communication begins: All subsequent traffic is encrypted
If any step fails, the browser displays a "Your connection is not private" warning.
Certificate Types and Trust Levels
| Type | Validation | Cost | Use Case |
|---|---|---|---|
| DV (Domain Validation) | Domain ownership only | Free to low cost | Personal sites, blogs |
| OV (Organization Validation) | Domain + organization existence | Moderate | Corporate sites, e-commerce |
| EV (Extended Validation) | Domain + organization + legal existence | High | Banks, financial institutions |
Let's Encrypt made DV certificates free, accelerating HTTPS adoption across the web. However, this also means phishing sites can easily display the lock icon.
The Chain of Trust
Digital certificate trust works through a chain. Your browser comes pre-loaded with approximately 100-150 root CA certificates, selected through rigorous audits by browser vendors like Mozilla, Apple, Google, and Microsoft.
Website certificates are typically issued through intermediate CAs, not directly by root CAs. The browser traces the chain from site certificate to intermediate CA to root CA. If it reaches a trusted root, the certificate is considered valid.
This system breaks when a CA itself issues fraudulent certificates. DigiNotar (2011) and Symantec (2017) lost trust and were removed from browsers. Certificate Transparency was created to detect such incidents. When a CA is compromised, the fraudulent certificates can be used to intercept communications and expand an attacker's view of your digital footprint.
Why Certificate Lifespans Are Shrinking
Maximum certificate validity has steadily decreased: from 5 years in 2012 to 398 days since 2020. Apple's 2025 proposal aims to reduce this to 47 days by 2029.
Shorter lifespans limit the damage window if a private key is compromised. The shorter the validity, the less time an attacker can exploit a stolen certificate. You can inspect the certificate and encryption details of your own connection by running a security check at IP確認さん.
For a deeper understanding of digital certificates and cryptography, cryptography textbooks provide comprehensive coverage.