[giobox]

> Users can't assume that a site is safe anymore because of a green padlock because HTTPS is so easy/cheap to implement

I don't think this has meaningfully changed today vs the past as you suggest. HTTPS has been cheap and _relatively_ (for an engineer anyway) easy to implement if you cared for quite some time, even before the advent of free SSL certificate services like Letsencrypt etc.

I certainly don't agree that widespread SSL/HTTPS has somehow devalued the significance of the green padlock as you are implying - the level of security it implies for your in-transit requests is still much the same as it always was, it just happens to be used on many more sites than in days past.

For this argument to hold, we would need to assume that for some reason in the past, only "good actors" of some kind used HTTPS due to its expense/complexity, and therefore the padlock was somehow certifying their good intent. This has never been the case, and HTTPS (perhaps with some small degree of exception for the newer Extended Validation certs...) continues to really only indicate your requests will be encrypted in transit only.