Now taking new projects, limited availability each month.

What Is an SSL Certificate? The Padlock Symbol Explained for Small Business Owners

There is a small padlock that lives in the corner of your browser's address bar, and most people pass it without a thought. Its absence, though, registers immediately — "Not Secure" in plain text, visible to every visitor who arrives at your site before they have read a single word about your business. Here is what that padlock actually represents, and why the good news is simpler than most people expect.

An SSL certificate is a small file that proves your website is who it says it is, and scrambles the data passing between your site and your visitors so no one else can intercept it. It is what turns your web address from http:// to https:// and creates the padlock in the browser bar. Without one, Google marks your site as "Not Secure", visitors lose trust, and your search rankings suffer. For most small business websites, a perfectly good SSL certificate is available free of charge.

Every time you visit a website, your browser and that site exchange information in a quiet, continuous relay — your request goes out, the page comes back. That exchange travels across the internet, and along the way, it passes through servers and networks that are not yours. In principle, someone positioned at any of those waypoints could read what is passing through.

For a page about a local bakery's opening hours, this may feel like a remote concern. But the moment a website asks for your name, your phone number, or any payment detail, the question of whether that information stays private becomes rather more pressing. The person filling in your contact form is trusting you with something real. It is worth protecting.

An SSL certificate addresses this in two ways. It scrambles the data travelling between your visitor and your server so that anything intercepted along the route is unreadable gibberish. And it confirms to the visitor's browser that your website is genuinely yours — not a convincing imitation designed to harvest credentials. Both of these functions together are what the padlock communicates: this connection is private, and this site is what it claims to be.

What "https" Actually Means

You may have noticed that some web addresses begin with http:// and others with https://. The "s" stands for "secure", and it indicates that an SSL certificate is active on that site. In modern browsers — Chrome, Safari, Firefox, Edge — any site that starts with http:// (without the s) will show a "Not Secure" warning in the address bar.

Until about ten years ago, HTTPS was mainly used by banks, shops, and login pages — anywhere sensitive information was being exchanged. The rest of the web ran on HTTP without much concern. Then attitudes changed. Google began treating HTTPS as a quality signal, browsers began flagging non-HTTPS sites more aggressively, and the availability of free SSL certificates removed any remaining reason for a site not to have one.

Today, HTTPS is the baseline. Any business website that still shows a "Not Secure" warning is sending a message to visitors — whether it intends to or not — that the site may not have been maintained recently or may not be entirely trustworthy.

Why a "Not Secure" Warning Costs You Customers

Think of the moment a potential customer arrives on your website for the first time. They have searched for what you offer, found your result, clicked through — and before they have read a single word, their browser has already rendered a verdict. If the verdict is "Not Secure", displayed in plain text at the top of the screen, most people will not pause to consider whether the warning is technically warranted. They see an alert, feel a flicker of unease, and press back. The whole exchange takes perhaps two seconds. You have lost them.

This is not a hypothetical. Research on how people actually behave on websites — as opposed to how we might imagine they behave — consistently shows that a visible security warning causes a significant proportion of visitors to leave immediately. The loss is silent, requires no complaint, and leaves no record. The visitor simply disappears.

A "Not Secure" warning is not a technical detail. It is visible to every visitor, and a meaningful proportion of them will leave because of it.

There is also the Google effect to consider. Google has confirmed that HTTPS is a ranking factor — sites with SSL certificates rank slightly better than equivalent sites without one. In a competitive search, that small advantage can be the difference between appearing on the first page and slipping to the second.

Does Your Website Really Need One if You Are Not Selling Anything?

This is a reasonable question. If your website is simply a few pages describing your services and a contact form, it is tempting to think a security certificate is overkill. You are not processing payments; you are not storing passwords.

But consider the contact form. When a visitor types their name, phone number, and a message into that form and presses send, that information travels across the internet. Without HTTPS, it is sent in plain text. With HTTPS, it is encrypted. Even a simple enquiry form contains personal information, and it is reasonable to protect it.

Beyond that, there is the trust signal. The padlock is now so universal that its absence is what stands out. Visitors do not consciously think "this site has an SSL certificate" when they see the padlock, but they very much notice when it is not there.

How to Get an SSL Certificate — and Why It Is Usually Free

Until around 2016, SSL certificates cost money — sometimes significant money. A basic certificate might cost £50 to £100 a year; the higher-trust versions used by banks cost considerably more. Then a non-profit organisation called Let's Encrypt launched with the aim of making SSL certificates free for everyone, and the economics of web security changed permanently.

Today, free SSL certificates are available from multiple sources. Let's Encrypt certificates are automatically issued by most reputable hosting providers. If your website is hosted on Cloudflare Pages, GitHub Pages, Netlify, or any modern hosting platform, an SSL certificate is included at no extra cost and is usually activated automatically when you connect your domain name.

If your website is on Wix, Squarespace, or a similar platform, your SSL certificate is handled for you as part of the subscription. You do not need to do anything.

If your website is self-hosted on a server and does not yet have HTTPS active, the fix is usually straightforward: ask your hosting provider to enable a Let's Encrypt certificate. Most reputable hosts offer this as a one-click option in their control panel, and it takes a matter of minutes.

The One Time You Should Pay for an SSL Certificate

For a small business website, a free Let's Encrypt certificate is almost certainly all you will ever need. There is, however, one category of business that benefits from paying for a higher-level certificate: e-commerce sites processing payments directly.

If you are taking card payments on your own website (rather than routing customers through a third-party checkout like Stripe or PayPal), an Extended Validation (EV) certificate gives additional trust signals and puts your organisation's name in the browser bar. For most small businesses, though, payment processing happens through a trusted third party, and a free certificate is perfectly sufficient.

Frequently asked

How do I know if my website has an SSL certificate?
Open your website in a browser and look at the address bar. If it starts with https:// and shows a padlock, your certificate is active and working. If it starts with http:// or shows a "Not Secure" warning, something is missing or broken. You can click the padlock for more detail — it will tell you who issued the certificate and when it expires. The check takes about ten seconds and is worth doing even if you are fairly sure everything is fine.
Will getting an SSL certificate improve my Google ranking?
Yes, a little. Google has confirmed HTTPS as a ranking signal — it is not the most powerful factor, but it is a baseline expectation. The more significant effect is indirect: a "Not Secure" warning causes more visitors to leave immediately, and that pattern of abandonment signals to Google that your site is not meeting what people need. Over time, a high exit rate depresses your ranking. So the padlock matters both as a trust signal to people and as a technical signal to Google.
Do I need to renew my SSL certificate?
Technically yes — most certificates expire after 90 days to a year. In practice, on any modern hosting platform, renewal happens automatically in the background and you will never need to think about it. The problem arises on older, manually managed setups where someone has to remember to renew. If a "Not Secure" warning has appeared on a site that previously had HTTPS, an expired certificate is almost always the explanation. It is easily fixed, but it does need attention quickly — the warning will be visible to every visitor in the meantime.
Does GitFoundry include SSL certificates?
Yes. Every website GitFoundry builds is hosted on GitHub Pages or Cloudflare Pages, both of which automatically issue and renew free SSL certificates via Let's Encrypt. Your site will be live on HTTPS from day one with no ongoing certificate costs and no manual renewal required.