Why No Padlock on HTTPS Sites?
There are a few reasons why a website with HTTPS encryption may not display the padlock icon:
1. Missing Intermediate Certificate
For a browser to trust a site’s SSL certificate, it must validate the chain of trust back to a root certificate authority. Sometimes a certificate chain is missing an intermediate certificate which leads browsers to display a warning instead of the padlock.
This is often just a configuration issue on the web server which can be resolved by installing the missing intermediate certificate.
2. Self-signed Certificate
Websites with self-signed certificates, instead of certificates signed by a trusted authority, will not display the padlock. Browsers cannot verify the identity of the self-signed certificate so they cannot authenticate the site.
Some sites use self-signed certificates on intranets or for testing purposes. Users have to manually verify and trust these certificates on each device.
3. Mixed Content
If a HTTPS page serves some resources like images or scripts over HTTP, browsers will display a crossed out padlock or triangle warning instead. This is because some content is transmitted unencrypted over HTTP.
Mixed content issues decrease security. Developers need to update code to reference resources using relative HTTPS paths to resolve.
4. Expired Certificate
Outdated expiring certificates cause the padlock to disappear and be replaced by security warnings. Browsers cannot validate expired certificates.
Website owners need to renew and install an updated certificate to restore trust and bring back the padlock.
5. Browser Cache
Sometimes the padlock icon fails to update after changes to a site’s security. Clearing the browser cache and performing a hard refresh should resolve this.