You've seen the little padlock in your browser's address bar a thousand times. But what does it actually mean, and why does every website now need one? "SSL" gets thrown around as if everyone already understands it. Let's fix that — here's the whole topic in plain English.
What SSL and TLS actually are
SSL stands for Secure Sockets Layer. It's the technology that encrypts the connection between a visitor's browser and your website, so that anything sent between them — passwords, card numbers, messages — can't be read by anyone snooping in between. Strictly speaking, the modern version is called TLS (Transport Layer Security), but almost everyone still says "SSL" out of habit. When a site has it set up correctly, the browser shows that reassuring padlock.
HTTP vs HTTPS
The difference comes down to one letter. A site served over http:// sends everything as plain, readable text. A site served over https:// — the "S" is for secure — wraps that traffic in encryption. Modern browsers actively flag plain HTTP pages as "Not Secure," which is exactly the kind of warning that sends visitors running.
Why it matters
An SSL certificate isn't just a security checkbox — it affects how your whole site is perceived and ranked:
- Security. Encryption protects your visitors' data from being intercepted on public Wi-Fi or anywhere along the route.
- Trust. The padlock tells visitors your site is legitimate. No padlock — or a scary warning — and many people simply leave.
- SEO. Search engines treat HTTPS as a ranking signal. All else being equal, a secure site has an edge over an insecure one.
- No browser warnings. Without a valid certificate, browsers display "Not Secure" labels and sometimes full-screen warnings that block the page entirely.
SSL used to be something only online shops bothered with. Today it's the baseline for every site — a blog, a portfolio or a store. If you collect so much as an email address, you need it.
The types of certificates
Not all certificates are the same. They differ in how much the issuer verifies about you, and how many domains they cover.
Domain Validation (DV)
The most common type. The issuer only confirms that you control the domain, so DV certificates can be issued in minutes and are usually free. Perfect for blogs, brochure sites and most small businesses.
Organisation Validation (OV)
The issuer verifies your organisation's identity as well as the domain, providing an extra layer of assurance. A common choice for company and corporate sites.
Extended Validation (EV)
The most rigorous tier, involving a thorough vetting of the business. Historically EV showed the company name in the address bar; today its main value is the strict verification behind it. Often used by banks and large e-commerce brands.
Wildcard certificates
A wildcard secures a domain and all of its subdomains — shop.yoursite.com, blog.yoursite.com and so on — with a single certificate. Handy when you run several subdomains.
How certificates work, at a high level
You don't need the cryptography degree, just the gist:
- A trusted Certificate Authority verifies that you control your domain and issues you a certificate.
- That certificate is installed on your server and contains a public key.
- When a browser connects, the two perform a quick "handshake," agree on encryption keys, and confirm the certificate is valid and trusted.
- From then on, everything sent between browser and server is encrypted — and the padlock appears.
All of this happens automatically in a fraction of a second, every time someone visits.
How to get one — free
Here's the best news: SSL doesn't have to cost anything. Let's Encrypt, a free, non-profit Certificate Authority, issues DV certificates trusted by every major browser. Better still, you usually don't need to touch it yourself — good hosts issue and renew certificates for you automatically. On HostFilya, free SSL is included on every plan and auto-renews before it expires, so the padlock simply stays on without you lifting a finger.
Watch out for mixed content
One common gotcha after switching to HTTPS is mixed content: your page loads over a secure connection, but it still pulls in an image, script or stylesheet over plain http://. Browsers flag this and may break the padlock or block the resource. The fix is to make sure every asset on the page uses https:// (or protocol-relative links). Most platforms offer a quick "force HTTPS" setting or a plugin that rewrites old links for you.
The bottom line
SSL is no longer optional — it protects your visitors, earns their trust, keeps browsers happy and helps your search rankings. The encryption is genuinely complex, but getting set up doesn't have to be: choose a host that issues and renews SSL automatically, fix any mixed-content links, and your site stays secure with the padlock firmly in place.
