The padlock in the browser bar is more than a cosmetic detail. Understanding what it means — and what happens without it — is essential for every website owner.
When you visit a website, look at the address bar at the top of your browser. A secure website shows a padlock icon and its address begins with https:// — the S standing for secure. An insecure website shows a warning indicator and its address begins with http:// — without the S.
That difference is the result of something called an SSL certificate — a small piece of technology installed on the web server that encrypts the connection between the server and the visitor's browser. Understanding what that means in practice, and why it matters for your business, is what this guide covers.
✓ Secure website — HTTPS
✗ Insecure website — HTTP only
When a visitor loads a page on your website, data travels back and forth between their device and your web server. Without encryption, that data passes in plain text — meaning it could theoretically be read by anyone able to intercept it on the network. This is particularly relevant on public wifi networks, where interception is more feasible.
An SSL certificate establishes an encrypted connection so that data in transit is scrambled and unreadable to anyone other than the intended recipient. For a simple business website where no personal data is exchanged, the practical security risk without SSL is relatively low — but the consequences of not having it go well beyond the technical.
Most visitors do not understand the technical detail of SSL. What they do understand is that their browser is showing them a warning that the site is "Not secure." Research consistently shows that a large proportion of visitors will leave a site — or refuse to submit a contact form — if their browser displays this warning. The padlock is a trust signal, and its absence creates immediate doubt.
Google has used HTTPS as a ranking signal since 2014. Sites without SSL are at a disadvantage in search results compared to equivalent sites that have it. Beyond rankings, Chrome — by far the most widely used browser — displays prominent "Not secure" warnings on HTTP pages, which discourages visitors from staying.
If your website has a contact form, a newsletter sign-up, or any other mechanism through which visitors submit personal information, transmitting that data over an unencrypted connection is a data protection concern. Under UK GDPR, you are required to implement appropriate technical measures to protect personal data — and an SSL certificate is the minimum expectation for any site collecting visitor information.
SSL certificates come in different types, reflecting different levels of validation. For most small business websites, the simplest type is perfectly adequate.
Confirms that the certificate holder controls the domain. The most common type for small business websites. Free versions are widely available and provide the padlock and encrypted connection that most sites need.
Confirms the domain and that the organisation behind it is legitimate. Involves a verification process with the certificate authority. More appropriate for larger businesses or those handling sensitive data.
The most rigorous level of validation, previously displaying the company name in the browser bar. Used by banks and large e-commerce sites. Rarely necessary for a standard small business website.
Most reputable hosting providers include a free Domain Validation SSL certificate as standard. If your hosting provider charges extra for SSL, or does not offer it at all, this is worth reconsidering — free, trusted SSL certificates have been widely available for many years and there is no good reason to pay significantly for a basic one.
The quickest check is simply to visit your website and look at the address bar. If the address begins with https:// and shows a padlock, your SSL certificate is in place and working. If it begins with http:// or shows a warning, it is not.
If SSL is missing, contact your hosting provider — in most cases they can install a free certificate within minutes. If your website was recently built and SSL is not in place, raise it with your web designer immediately. It is a basic requirement that should have been addressed before the site went live.
Note: Having an SSL certificate installed is not the same as the entire site being fully secure. SSL encrypts the connection but does not protect against other security vulnerabilities such as outdated software, weak passwords, or malicious code. It is a necessary foundation, but not a complete security solution on its own.
