Are ‘Secure Web Forms’ as Secure as You Think?

Photo by walknboston -

You’ve probably been told to check for a locked padlock icon in the corner of your browser window — and an ‘https:’ in your address bar — to be sure a web page is secure, right? Well, unfortunately, the received wisdom about providing your personal details on a ‘secure web form’ is just plain wrong…

Irresponsible Marketing or Just Technical Incompetence?

Sometimes you just have to call them like you see them, even when doing so might make some folks look less like experts than they would like you to think they are.

This is one of those cases.

It’s almost universally accepted that if you see a locked padlock icon in the corner of your browser window, it means that a given web page is ‘secure’. The icon normally appears if and only if the URL shown in the browser’s address bar begins with ‘https:’ (rather than merely ‘http:’), and the website has a valid digital certificate enabling it and your browser to cooperate in using SSL to encrypt the communications between your browser and the server. Marketers and online therapists who don’t really understand how it all works seem to like this a lot: tell users all about that little icon and the ‘https:’ and make them feel so much better about handing over their personal details via a web form.

Unfortunately, however, the received wisdom that you can tell by looking for an icon whether a web form is secure is just plain wrong!


Because what matters is not whether information sent to you was encrypted, but whether information sent from you to the web server is going to be encrypted — and the information which is sent from your browser back to the server goes to a new URL which is specified in the code of the page with the form. In other words, the question of whether the web form itself was delivered over a secure connection is irrelevant to the question of whether your personal details will be protected when they are delivered back to the server.

Of course, most modern browsers will pop up a warning window if a form contained on a page delivered over SSL is about to be sent back to the server over an unencrypted connection, but by then, you have already entered your details, and the last chance you get to guard the privacy of your information is when that window pops up and you pay attention to it, do not automatically dismiss it, and tell your browser NO! do not send my form this way. Unfortunately, most web users have been so conditioned to look for that little padlock — so irrelevant in this context — that many are inclined just to ignore the warning and get on with it.

Try it: ask a set of 10 web users what happens if an SSL-protected form is submitted back to the server without SSL and what they should do about it, and see how many eyes glaze over and how many folks talk about that little padlock and the ‘https:’ in the address bar.

All clinical material on this site is peer reviewed by one or more clinical psychologists or other qualified mental health professionals. This specific article was originally published by on and was last reviewed or updated by Dr Greg Mulhauser, Managing Editor on .

Overseen by an international advisory board of distinguished academic faculty and mental health professionals with decades of clinical and research experience in the US, UK and Europe, provides peer-reviewed mental health information you can trust. Our material is not intended as a substitute for direct consultation with a qualified mental health professional. is accredited by the Health on the Net Foundation.

Copyright © 2002-2023. All Rights Reserved.