When you visit a website, the Site Identity button (a padlock) appears in the address bar to the left of the web address. You can quickly find out if the connection to the website you are viewing is encrypted, and in some cases who owns the website. This should help you avoid malicious websites that are trying to obtain your personal information.
When viewing a secure website, the Site Identity button will be a gray padlock. In a few cases, however, you may see a gray padlock with a warning triangle or a gray padlock with a red strike over it .
A gray padlock with no warning triangle or red strike over it indicates that:
- You’re definitely connected to the website whose address is shown in the address bar and the connection hasn’t been intercepted.
- The connection between Firefox and the website is encrypted to prevent eavesdropping.
Click the padlock to find out if the website is using an Extended Validation (EV) certificate. An EV certificate is a special type of site certificate that requires a significantly more rigorous identity verification process than other types of certificates.
For sites using EV certificates, the legal company or organization name and location of the website owner displays when you click the gray padlock.
Padlock with a warning triangle
A gray padlock with a warning triangle indicates that the connection between Firefox and the website is only partially encrypted and doesn't prevent eavesdropping. By default, Firefox does not block insecure passive content such as images; you will simply see a warning that the page isn't fully secure. For more information, see Mixed content blocking in Firefox.
A gray padlock with a warning triangle also appears for website certificate warnings, such as for sites with self-signed certificates or certificates that aren’t issued by a trusted authority. This is a problem the site developer needs to resolve.
Padlock with a red strike over it
A gray padlock with a red strike over it indicates that the connection between Firefox and the website is either delivered using an insecure protocol (FTP or HTTP) or that it is only partially encrypted because you've manually deactivated mixed content blocking. The site doesn't prevent against eavesdropping or man-in-the-middle attacks.