Can an HTTPS site be malicious or unsafe?

No, HTTPS does not necessarily mean that a site is not malicious. HTTPS means very little as to the security of a site. It's specifically geared to keep your communication with the site secure from eavesdroppers and tampering, but offers nothing as to the security of the site itself.

Yes, a site serving content over HTTPS has a certificate. That means that the individual who requested the certificate from the CA has an email address that is associated with the domain. Except in the case of Extended Validation certificates (the ones that offer a green address bar) this is literally all it means. Nobody from the CA is validating that the site is safe, secure, and not serving malware. Any site, with an SSL cert or without, can have bugs and vulnerabilities that allow an attacker to leverage them to serve an exploit. Or a admin or user who has the ability to either maliciously or unknowingly cause the site to serve malware. Even if the site itself does not, if it serves advertisements (or any other content, for that matter) from an ad network or another site, that could be vulnerable.

So, HTTPS means that nobody should be able to view or tamper with your traffic. That is all that it means.


Not at all a guarantee. HTTPS means that the web page has SSL, which simply means that your connection to the page is encrypted. The content on the page could be anything that could be posted on any web site whether encrypted by SSL or not.

Additionally, as listed in the answers in the comments below, you can be fooled into a false sense of security when (in different types of examples) the target server is compromised, or a hacker redirects your https site data to a different https encrypted location. You can still be encrypted to a site, but possibly even a fake site that looks like the real one instead.


In short: Yes, it can indeed be malicious!

Accessing a site via HTTPS means that the connection between your computer and the website's server is encrypted and secure.

What HTTPS does

  • Encrypt the data being transmitted over the network between your computer and the website's server to prevent third parties from intercepting it.
  • Prevent man in the middle attacks.

What HTTPS does not do

  • HTTPS Does not scan the content being served by the website for viruses or malicious elements

Therefore its still possible for the website's authors (or someone who has gained unauthorized access to the website) to have the website itself serve malicious content to your browser.