Every time you visit a website, your browser and that site exchange information in a quiet, continuous relay — your request goes out, the page comes back. That exchange travels across the internet, and along the way, it passes through servers and networks that are not yours. In principle, someone positioned at any of those waypoints could read what is passing through.
For a page about a local bakery's opening hours, this may feel like a remote concern. But the moment a website asks for your name, your phone number, or any payment detail, the question of whether that information stays private becomes rather more pressing. The person filling in your contact form is trusting you with something real. It is worth protecting.
An SSL certificate addresses this in two ways. It scrambles the data travelling between your visitor and your server so that anything intercepted along the route is unreadable gibberish. And it confirms to the visitor's browser that your website is genuinely yours — not a convincing imitation designed to harvest credentials. Both of these functions together are what the padlock communicates: this connection is private, and this site is what it claims to be.
What "https" Actually Means
You may have noticed that some web addresses begin with http:// and others with https://. The "s" stands for "secure", and it indicates that an SSL certificate is active on that site. In modern browsers — Chrome, Safari, Firefox, Edge — any site that starts with http:// (without the s) will show a "Not Secure" warning in the address bar.
Until about ten years ago, HTTPS was mainly used by banks, shops, and login pages — anywhere sensitive information was being exchanged. The rest of the web ran on HTTP without much concern. Then attitudes changed. Google began treating HTTPS as a quality signal, browsers began flagging non-HTTPS sites more aggressively, and the availability of free SSL certificates removed any remaining reason for a site not to have one.
Today, HTTPS is the baseline. Any business website that still shows a "Not Secure" warning is sending a message to visitors — whether it intends to or not — that the site may not have been maintained recently or may not be entirely trustworthy.
Why a "Not Secure" Warning Costs You Customers
Think of the moment a potential customer arrives on your website for the first time. They have searched for what you offer, found your result, clicked through — and before they have read a single word, their browser has already rendered a verdict. If the verdict is "Not Secure", displayed in plain text at the top of the screen, most people will not pause to consider whether the warning is technically warranted. They see an alert, feel a flicker of unease, and press back. The whole exchange takes perhaps two seconds. You have lost them.
This is not a hypothetical. Research on how people actually behave on websites — as opposed to how we might imagine they behave — consistently shows that a visible security warning causes a significant proportion of visitors to leave immediately. The loss is silent, requires no complaint, and leaves no record. The visitor simply disappears.
A "Not Secure" warning is not a technical detail. It is visible to every visitor, and a meaningful proportion of them will leave because of it.
There is also the Google effect to consider. Google has confirmed that HTTPS is a ranking factor — sites with SSL certificates rank slightly better than equivalent sites without one. In a competitive search, that small advantage can be the difference between appearing on the first page and slipping to the second.
Does Your Website Really Need One if You Are Not Selling Anything?
This is a reasonable question. If your website is simply a few pages describing your services and a contact form, it is tempting to think a security certificate is overkill. You are not processing payments; you are not storing passwords.
But consider the contact form. When a visitor types their name, phone number, and a message into that form and presses send, that information travels across the internet. Without HTTPS, it is sent in plain text. With HTTPS, it is encrypted. Even a simple enquiry form contains personal information, and it is reasonable to protect it.
Beyond that, there is the trust signal. The padlock is now so universal that its absence is what stands out. Visitors do not consciously think "this site has an SSL certificate" when they see the padlock, but they very much notice when it is not there.
How to Get an SSL Certificate — and Why It Is Usually Free
Until around 2016, SSL certificates cost money — sometimes significant money. A basic certificate might cost £50 to £100 a year; the higher-trust versions used by banks cost considerably more. Then a non-profit organisation called Let's Encrypt launched with the aim of making SSL certificates free for everyone, and the economics of web security changed permanently.
Today, free SSL certificates are available from multiple sources. Let's Encrypt certificates are automatically issued by most reputable hosting providers. If your website is hosted on Cloudflare Pages, GitHub Pages, Netlify, or any modern hosting platform, an SSL certificate is included at no extra cost and is usually activated automatically when you connect your domain name.
If your website is on Wix, Squarespace, or a similar platform, your SSL certificate is handled for you as part of the subscription. You do not need to do anything.
If your website is self-hosted on a server and does not yet have HTTPS active, the fix is usually straightforward: ask your hosting provider to enable a Let's Encrypt certificate. Most reputable hosts offer this as a one-click option in their control panel, and it takes a matter of minutes.
The One Time You Should Pay for an SSL Certificate
For a small business website, a free Let's Encrypt certificate is almost certainly all you will ever need. There is, however, one category of business that benefits from paying for a higher-level certificate: e-commerce sites processing payments directly.
If you are taking card payments on your own website (rather than routing customers through a third-party checkout like Stripe or PayPal), an Extended Validation (EV) certificate gives additional trust signals and puts your organisation's name in the browser bar. For most small businesses, though, payment processing happens through a trusted third party, and a free certificate is perfectly sufficient.