CA Security Council Report: Consumers Don’t Know Much About Security, But They Trust the Padlock and Green Bar When Shopping Online

Monday April 13, 2015

San Francisco – April 13, 2015 – The CA Security Council (CASC), an advocacy group committed to the advancement of the security of websites and online transactions, today released its 2015 Consumer Trust Survey which found that validation matters.  While consumers are confused about some aspects of security, they recognize and trust the security that SSL brings to e-commerce sites.  Fifty-three percent of respondents identify the padlock as adding confidence in an e-commerce site, with 42 percent associating the green bar and organization name in the URL with greater safety.

Consumers understand the padlock symbol verifies the site’s authenticity and that traffic to and from is encrypted.  Just 2 percent proceed past an “untrusted connection” message, and only 3 percent would give out credit card information without the padlock icon.

Tweet This: Study says consumers confused about security but trust padlock & green bar when shopping online:

Online shopping represents more than a third of consumers’ budgets and they understand that security is a concern.  One-hundred percent of respondents either have been, or know, a cybercrime victim.

Despite being well aware of the risks, consumers need to be more attentive to overall security issues.

  • Most have at least one device they don’t bother password protecting.  The most common device left unguarded is the tablet, a device that 61 percent leave unprotected.
  • 43 percent are happy to use Wi-Fi without regard to security issues, as long as it is free.
  • Finally, 33 percent use just one or two passwords to login across all their websites.  This is especially problematic when considering the number of companies experiencing breaches that resulted in stolen passwords within the last few years.

Forty-two percent of respondents understand at a high level that the green bar means more safety, although confusion remains as to how companies receive the extended validation (EV) certification.  Sites with EV-SSL certificates provide visual cues, such as the organization’s name and the green bar in the browser’s URL. EV-SSL certificates are only issued by CAs after a rigorous identity verification process and provide the highest level of authentication available for consumers to validate the website owner’s legitimacy. 

“Consumers know to favor websites that display the padlock symbol, the organization’s name, and the green bar in the URL, but they could still benefit from greater education, said Dean Coclin, Steering Committee, CA Security Council.  “We are using the results of the study to focus on how to increase education about how certificates work, the benefits of authentication, and to highlight why EV provides value to businesses and consumers. Better educated consumers are not only less likely to fall victim to cyber thieves, but they’re more likely to help their friends and family adopt conscientious behaviors, too. “

A final survey question dealt with who consumers trust most and least while shopping online.  Financial institutions score highest (68 percent), followed by certificate authorities (49 percent).  Browsers (42 percent), online merchants (40 percent) and stores offering free Wi-Fi (17 percent) come in last.

“Validation matters. Without the padlock symbol, the organizations name, and the green bar, consumers are left to trust the online merchant exclusively, and only a minority is comfortable with that,” said Robin Alden, Steering Committee, CA Security Council. “The lesson for retailers is that by adding an EV certificate you will draw a larger share of the more than 200 million Americans who are spending nearly $6 billion online. That’s pretty powerful for a padlock smaller than the size of a pencil eraser!”

“The results of our survey provide further substantiation that users do pay attention to security warnings and visual indicators of trust in the browser,” said Jeremy Rowley, Steering Committee, CA Security Council. “We support the ongoing work of Google and other researchers to improve security messages as a way of helping users navigate an otherwise complex security environment.”


The survey findings point to five best practices consumers should follow to their information safe:

  • Update your browser to the latest version, which addresses the most current online risks.
  • Look for “https” in the address bar.  The “s” means it’s secure.  You should also see a padlock symbol.  For an added sign that the site is authentic, look for the green browser bar and the website’s name to appear in green.
  • If your browser gives you a message about an untrusted security certificate for a website, don’t proceed.
  • Wherever possible, don’t allow an organization to keep your payment information on file.
  • Regulated industries and e-commerce should use high validation to provide stronger trust and assurance to customers and to protect against fraud.

To view and download a complete copy of the report, please visit

Survey Methodology

For this report, the CASC commissioned Survata Consumer Research to survey U.S. consumers to gauge how security savvy they really are, and how much they trust their e-commerce infrastructure. Survata canvased 670 adults 18 years or older who shopped at least several times each year.

Connect with CASC

About the CA Security Council

The CA Security Council (CASC) is comprised of leading global Certificate Authorities that are committed to the exploration and promotion of best practices that advance trusted SSL deployment and CA operations as well as the security of the internet in general. While not a standards-setting organization, the CASC works collaboratively to improve understanding of critical policies and their potential impact on the internet infrastructure. More information is available at

Media Contact

Sherri Walkenhorst
Connect Marketing
(801) 373-7888
[email protected]

This article was originally published by the "CA Security Council". In 2021 the CASC was restructred and renamed to the "Public Key Infrastructure Consortium" shortly "PKI Consortium".

Learn more about the PKI Consortium
Participate in our community discussions and/or join the consortium