No more lock icon, so how do we know which sites are secure?

Try the icon to the left of the URL. I don't recall what Apple calls it or if it even has a name. Then, the "three dots" will appear. Otherwise, select the Safari menu > Connection Security Details. Also, Safari's Smart Search field will display a prominent "Not Secure" warning if the site is not using encryption.

Suffice it to say that if a connection is not using encryption such as a fraudulent website designed to resemble your bank or insurance company website, Safari will let you know. There are very few such sites. Having said that it is entirely possible (and even likely, if it's going to be successful) for a completely fraudulent website to use encryption. It's not a panacea.

Saxman wrote:

How can we tell when a website is secure? I no longer see the small lock icon, so how do we know?

The lock icon means that somebody went to the added step of getting a server certificate, and obtaining those certificates is easy, automated, and free.

Nothing about that lock icon indicates anything about the trustworthiness of the website itself.

And there are lots of sketchy and scammy websites.

The lock icon had only indicated that the network connection was (is) secure.

Certificate vendors have been selling more expensive certificates (DV (Domain Validation), OV (Organization Validation), or EV (Extended Validation)) for some years, and those extra-cost certificates and the different lock icons supposedly shown by different browsers then confused very nearly everybody.

Per Google:

For example: we know that the lock icon does not indicate website trustworthiness. We redesigned the lock icon in 2016 after our research showed that many users misunderstood what the icon conveyed. Despite our best efforts, our research in 2021 showed that only 11% of study participants correctly understood the precise meaning of the lock icon. This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon. Misunderstandings are so pervasive that many organizations, including the FBI, publish explicit guidance that the lock icon is not an indicator of website safety.

Current Apple browser software (with Safari 18.4 [release notes] having deprecated the lock icon), now report an error when attempting to use an unencrypted connection to a website, so by default all browser connections are always “locked”, or your browser connection gets blocked with a warning that you must manually approve to bypass.

Typo-squatting, deliberately-confusing domain names, homoglyphs, and other “fun” await here, too. And all can have the lock icon.

https://en.wikipedia.org/wiki/Typosquatting

https://en.wikipedia.org/wiki/IDN_homograph_attack

But to answer your question above viewing the certificate itself, here is probably more than you want to know about viewing the certificate itself:

https://derflounder.wordpress.com/2025/04/14/accessing-ssl-certificate-details-in-safari-18-4-and-later/

I no longer see the small lock icon, so how do we know?

You click the three dots, then Connection Security Details.

All sites are encrypted these days. The lock icon was removed as redundant.

See what your settings are in Safari Settings > Security:

You should get a warning before Safari tries fo connect.

If this is not what you wanted, I recommend you let Apple know of a potential issue using this link:

Feedback - Safari - Apple

They will not respond in these user-to-user forums.