You've seen the padlock. It's the little icon next to a website's address in your browser, and for most business owners it sits in the category of "things I know matter but couldn't explain at a dinner table." That's fine. You don't need to be able to explain it. But you do need to know three things: what it actually does, what happens to your business when it's missing, and what it should cost you. The third answer is going to annoy you if you've been paying for it.
Let's take them in order, in plain English, no jargon left undefined.
What SSL and HTTPS actually are
When someone visits your website, their browser and your website's server have a conversation. The browser asks for pages, the server sends them. The visitor types things into your contact form, the form sends them back. All of that travels across the open internet, hopping through networks neither of you control: coffee shop wifi, a hotel router, a cell carrier, whatever's in between.
HTTP is the original language of that conversation, and it's sent in the clear. Anyone sitting on the network in between can read it, like a postcard.
HTTPS is the same conversation, sealed in an envelope. The "S" stands for secure. Everything traveling between the visitor and your site is encrypted, meaning it's scrambled in a way only the two ends can unscramble. Someone snooping on the coffee shop wifi sees gibberish.
SSL is the name everyone still uses for the technology that does the sealing. (Technically the modern version is called TLS, but the industry never stopped saying SSL, so we won't either.) An SSL certificate is the file installed on your website's server that makes HTTPS possible. It does two jobs:
- Encryption. It scrambles the traffic, as described above.
- Identity. It's issued by an organization that verified you control the domain, so the browser can tell visitors "yes, you're actually talking to airsupporthvac.com, not an impostor pretending to be it."
That's the whole concept. Padlock present means the certificate is installed, valid, and working. Padlock absent, or replaced by a warning, means it's not.
What it protects, concretely
For a typical small business site, here's what HTTPS is guarding:
- Contact form submissions. Names, phone numbers, addresses, descriptions of the job. Without HTTPS, that's readable in transit.
- Quote requests and any personal details. A homeowner telling you when they'll be out of town for a week is information worth protecting.
- Login pages. If your site has any kind of customer portal or admin login, passwords sent over plain HTTP are exposed.
- The integrity of your pages. This one surprises people. On an unencrypted connection, a bad actor in the middle can modify the page before it reaches the visitor: injecting ads, swapping your phone number, redirecting your form. HTTPS prevents tampering, not just eavesdropping.
What it does not protect: anything that happens after the data arrives. HTTPS secures the trip, not the destination. If your server gets hacked or your inbox gets phished, the padlock never claimed to help with that. It's a seatbelt, not a bodyguard.
The part that costs you money: browser warnings
Here's where this stops being a technical topic and becomes a revenue topic.
For years now, every major browser has actively flagged sites without HTTPS. Chrome puts "Not Secure" right in the address bar on plain HTTP pages. Type into a form on one of those pages and the warning gets more aggressive. Some configurations throw a full-page interstitial, the alarming red screen that makes a site look radioactive.
Now think about how your customers actually find you. Someone's water heater died, they searched, they tapped your site. They have never heard of you. They're deciding in seconds whether you seem legitimate. And the first thing their phone tells them is "Not Secure."
They don't know that the warning is about encryption in transit. They don't parse the nuance. They read "Not Secure" next to the name of your business and they hit the back button, and the next result down gets the call. You will never know it happened. There's no bounced email, no missed call log, no angry review. Just a quiet leak in the side of the funnel, every day, indefinitely.
There's a second cost: search. Google has publicly used HTTPS as a lightweight ranking signal for years, and their guidance for site owners treats it as table stakes. You can read their own documentation on securing your site with HTTPS and the broader case for it on web.dev. Will a missing certificate single-handedly tank your rankings? No. Is it one more reason for Google to prefer a competitor's page over yours when everything else is close? Yes. Local search is decided at the margins, and this is a margin you can have for free.
Which brings us to cost.
What SSL should cost: nothing
This is the part of the conversation where I sometimes watch an owner's jaw tighten, because they've been paying $79 or $149 a year for an "SSL certificate" as a line item on a hosting invoice.
Here is the plain truth: basic SSL certificates have been free since 2016, when a nonprofit certificate authority called Let's Encrypt started issuing them at no charge, automatically, at scale. A huge percentage of the entire internet now runs on free certificates. Modern hosting platforms issue and renew them automatically; nobody at the hosting company lifts a finger, because software does the whole thing.
So when a provider charges you separately for SSL, what are you buying? In almost every small business case: a line item. There are legitimately fancier certificate types for banks and large enterprises, but your five-page service business website does not need them, and the encryption strength of a free certificate is identical to a paid one. The padlock looks exactly the same to your customers because it is exactly the same.
This is one of those quiet tells we wrote about in our guide to hidden website fees. A provider charging for SSL in 2026 isn't necessarily dishonest, but it tells you something about how they price: they bill for things that cost them nothing because they're betting you won't know better. It's fair to ask what else on the invoice works that way. Our breakdown of what hosting actually costs walks through the rest of that invoice line by line.
To be clear about our own bias: we build websites, and every site we ship includes SSL with hosting at every tier, because including it costs us approximately nothing and shipping without it would be malpractice. We're not heroes for this. It's the baseline, and anyone selling you a site should be meeting it.
How to check your own site in 60 seconds
You don't need a developer for this part.
- Open your site on your phone, in a normal browser window, by typing the bare domain. Look at the address bar. Padlock or "tune" icon with no warning: good. "Not Secure": you have the problem described above.
- Try the http:// version on purpose. Type http://yourdomain.com (with the http spelled out). A properly configured site will immediately bounce you to the https:// version. If it doesn't, both versions of your site exist, and some visitors and search engines are seeing the insecure one.
- Click the padlock and glance at the certificate dates. Certificates expire, usually every 90 days for free ones, renewed automatically when things are set up right. If yours expired, automation is broken somewhere, and the alarming full-page warning is what your customers see.
- Submit your own contact form while you're at it, and confirm the page the form sits on shows the padlock. Forms are exactly where the browser warnings get loudest.
If any of those checks fail, the fix is usually quick for whoever manages your hosting: turn on the free certificate, force the redirect from HTTP to HTTPS, done. If the company managing your site says it's complicated or expensive, that's worth noting. If you built the site yourself on a platform like Wix or Squarespace, it's probably already handled; the failures we see in the wild are mostly older custom sites, sites on cheap legacy hosting, and sites where a renewal silently broke years ago and nobody was watching.
One more thing: the padlock is not a trust badge
A quick word of balance, because the padlock gets oversold in the other direction too. Scam sites have certificates. Phishing pages have padlocks. The padlock means "this connection is encrypted and you're talking to the domain in the address bar." It does not mean "this business is trustworthy." The FTC's small business security guidance at ftc.gov is a good plain-language resource on the broader picture.
For you as an owner, the practical takeaway is simple: the padlock won't win you customers, but its absence will quietly cost you some. It's a checkbox, not a strategy. Get the checkbox, then spend your energy on the things that actually convert visitors into calls, like a contact form people actually fill out and a site that loads fast and says clearly what you do.
Want the padlock handled, along with everything else?
We build done-with-you websites live on a call with you, so you watch it come together and shape it as we go. First draft in 24 hours. Live in 7 days, guaranteed. Hosting and the secure-padlock certificate are included in every tier starting at $500, because charging extra for SSL in 2026 isn't something we're willing to do. Pay-in-4 and Klarna financing available.
We're veteran-owned, based in Wilmington, NC, and we've built 1,500+ small business sites in the last 90 days, every one of them with the padlock on day one.