Originally Posted by
gfunkdave
No, it means the connection is encrypted and the browser has validated that the certificate presented by the web server belongs to that server. Those two conditions (encryption and verification against
Man In the Middle attacks) are what SSL/TLS are designed for. Any browser will throw errors if a website you visit presents a certificate that doesn't match the site it's connected to. In those cases, the padlock won't appear and the browser will tell you there's something wrong with the site's security.
Here's an example:
https://wrong.host.badssl.com/
Right, but if you say, type in your browser
www.exmaplebank.com (most people wouldn't specifically put https in front anyway), and I can hijack that and redirect you to, say,
https://www.exapmlebank.com which I own, and have the valid certificate for... would you really pay attention to a small typo in the URL? Would the average user even check the URL?