What is SSL? The Lock Icon in Your Browser

3 min read

What Does SSL Mean?

SSL stands for Secure Sockets Layer. It's the technology that puts the padlock icon in your browser's address bar and changes http:// to https://.

(Technically, the current version is called TLS — Transport Layer Security — but everyone still calls it SSL. Same idea, just a newer, stronger version.)

In plain English: SSL encrypts the connection between your visitor's browser and your website. That means nobody can eavesdrop on the data being sent back and forth.

Why Does It Matter?

For your visitors

If your site collects any information — contact forms, email addresses, passwords, payment info — SSL keeps that data private. Without it, anyone on the same network (like a coffee shop Wi-Fi) could potentially intercept that information.

For your Google ranking

Google has said outright that HTTPS is a ranking factor. Sites without SSL get ranked lower in search results.

For trust

Browsers now show clear warnings for sites without SSL. Chrome, Safari, Firefox — they all flag unencrypted sites as "Not Secure." That's a bad first impression for a potential customer.

It's expected now

In 2026, SSL isn't optional — it's the bare minimum. Visitors, search engines, and browsers all expect it. A site without SSL looks outdated and untrustworthy.

How It Works (Simply)

  1. A visitor goes to your site
  2. Their browser and your server do a quick handshake to set up an encrypted connection
  3. All data between them is now scrambled — unreadable to anyone else
  4. The padlock appears in the browser bar

This all happens automatically in milliseconds.

Do You Need One?

Yes. Every website should have SSL. Period.

The good news: it's free. Most hosting providers include SSL certificates at no extra charge. Services like Cloudflare and Let's Encrypt provide them automatically. If you're on any modern hosting platform, SSL is probably already included.

How to Get SSL

  • If you're setting up a new site — Ask your hosting provider. Most turn it on automatically now.
  • If your site says "Not Secure" — Your host probably supports SSL but it might not be enabled. Contact them or contact us and we'll get it sorted.
  • If you're on Cloudflare — SSL is included and turned on by default.

The Bottom Line

SSL is free, expected by visitors, required by Google, and enforced by browsers. If your site doesn't have it, it should. Get in touch if you need help setting it up.

The TLS Handshake: How Encryption Actually Starts

When you visit an HTTPS website, your browser and the server perform a quick negotiation called the TLS handshake before any data is exchanged. It happens in milliseconds, but a lot is going on.

The Handshake Step by Step

  1. Client Hello — Your browser says "Hey, I want a secure connection. Here are the encryption methods I support."
  2. Server Hello — The server picks the best encryption method from the list and sends back its SSL certificate (which contains its public key).
  3. Certificate Check — Your browser verifies the certificate is valid, not expired, and was issued by a trusted Certificate Authority (CA).
  4. Key Exchange — Your browser and the server agree on a shared secret key using the public key from the certificate. This key will encrypt all further communication.
  5. Secure Connection — Both sides confirm the handshake is complete. Everything from here on out is encrypted.

The whole thing takes about 50-100 milliseconds. You don't notice it, but it's the reason you can safely type your credit card number into a website.

Certificate Authorities and Trust Chains

So who decides which certificates are trustworthy? That's where Certificate Authorities (CAs) come in. A CA is an organization trusted by browsers to verify that a website is who it claims to be.

The trust works as a chain:

  • Your browser trusts a handful of root CAs (built into the browser)
  • Those root CAs trust intermediate CAs (which actually issue most certificates)
  • The intermediate CA trusts your site's certificate

If any link in the chain is broken or expired, your browser shows a security warning. Cloudflare manages this entire chain for you, which means you never have to worry about renewing or configuring intermediate certificates.

DV vs. OV vs. EV Certificates

Not all SSL certificates are created equal:

  • DV (Domain Validation) — Proves you own the domain. That's it. Issued in minutes, usually free. This is what Cloudflare provides automatically, and it's what most websites need.
  • OV (Organization Validation) — The CA also verifies your business is real (checks business registration, phone number, etc.). Takes a few days. Adds more trust but visitors can't easily tell the difference.
  • EV (Extended Validation) — The most thorough check. The CA investigates your legal identity, physical address, and operational existence. Used to show a green company name in the browser bar (most browsers removed that visual indicator, so the benefit has shrunk).

For the vast majority of small business websites, DV is perfectly fine. It's the same level of encryption — the difference is only in how thoroughly the CA checked who you are.

Certificate Transparency

Certificate Transparency (CT) is a system that logs every SSL certificate issued publicly. This means anyone can check if a certificate was issued for their domain — catching unauthorized certificates quickly.

If someone tricked a CA into issuing a fake certificate for yourbank.com, CT logs would expose it. Cloudflare participates in CT and monitors certificates for domains they manage.

Questions about your site's SSL setup? Reach out — we'll make sure your encryption is solid and your certificates are current.

Last reviewed for accuracy: February 2026

Rate this article

Related Articles

Security

What is Authentication? Keeping Your Accounts Safe

Authentication is how websites verify you are who you say you are. Here's what you need to know — including passkeys, the future of passwords.

4 min read Security

How to Spot a Phishing Email Before You Click

Phishing emails are the #1 way businesses get hacked. Here's how to spot them — even the really convincing ones.

4 min read Security

What Are Cookies and Tracking? A No-Nonsense Guide

Cookies, tracking pixels, and privacy banners — here's what's actually going on when websites ask to track you.

5 min read

Have questions? We're happy to help. Get in touch for a free consultation.