It is not always enough. For example, recently I have found several ways to spoof the URL and HTTPS lock on Google Chrome. So phishing seems to be a concern.
If you found a way to have the address bar show an HTTPS lock on a Google domain despite actually being on one, then you've found a big hole and you could make a lot of money by reproducing/reporting this security flaw.
The fact that you have found "several ways" is intriguing. You are either mistaken, or you're one of the greatest security researchers out there.
In that case, way to go, that is very impressive! I'm surprised the bounty was so low, honestly.
In response to your first comment, I should clarify that checking for a valid HTTPS URL SHOULD be sufficient, barring implementation errors in the browser. Of course, if the browser is insecure, all bets are off wrt web security. Implications may range far beyond phishing attacks in that case.
Thank you! I got involved with the security world recently and I'm really enjoying it.
And I would like to clarify myself, the comment I made earlier was a little ambiguous. The bug that got fixed only spoofs the omnibox and not the HTTPS lock. The others spoof both.
That said, when I am able to disclose these vulnerabilities, I intend to write a post about them.
