A Padlock and Https Don't Mean a Website is Safe
Looking for the padlock and "https://" in an e-commerce website's URL is not enough in order to be assured that the specific website is safe.
A recent research from anti-phishing company PhishLabs indicates that 49 percent of all phishing sites in the third quarter of 2018 were bore the padlock security icon next to the phishing site domain name as displayed in a browser address bar.
In reality, the https:// part of the address (SSL) merely signifies the data being transmitted back and forth between your browser and the site is encrypted and can’t be read by third parties. The presence of the padlock does not mean the site is legitimate, nor is it any proof the site has been security-hardened against intrusion from hackers.
According to PhishLabs, phishers register their own domain names and create certificates for them.
In addition, some phishing site takes advantage of internationalized domain names (IDNs) to introduce visual confusion. While Chrome, Safari and recent versions of Microsoft’s Internet Explorer and Edge browsers all render IDNs in their clunky punycode state, Firefox will convert the code to the look-alike domain as displayed in the address bar. So if you’re a Firefox (or Tor) and would like Firefox to always render IDNs as their punycode equivalent when displayed in the browser address bar, type "about:config" without the quotes into a Firefox address bar. Then in the "search:" box type "punycode," and you should see one or two options there. The one you want is called "network.IDN_show_punycode." By default, it is set to "false"; double-clicking that entry should change that setting to "true."
The bottom line is that the presence or lack of SSL doesn’t tell you anything about a site’s legitimacy.