Hebble & Stone

4 min read

A padlock with a tick mark, labelled SSL certificate.

What SSL certificates actually do (and don't do)

You know that little padlock that sits next to the address in your browser? The one that shows up on a site whose URL starts with https://?

People will tell you the padlock means the site is safe. People are mostly wrong.

What it actually means

An SSL/TLS certificate (the thing that gives you the padlock) does exactly two jobs:

  1. It encrypts the connection between your browser and the website's server, so anyone sitting on the network between you can't read what's passing back and forth.
  2. It proves that the server you're talking to actually owns the domain name you typed.

That's it. Those are real benefits (encryption is genuinely important), but they're a much smaller list than "the site is safe".

What it definitely doesn't mean

  • It doesn't mean the site is trustworthy. Scammers can and do get certificates. They're free and automated.
  • It doesn't mean the site can't be hacked. The certificate protects the connection, not the server.
  • It doesn't mean your data is safe once it arrives. The site can still log every password you submit and email it to itself in plain text.
  • It doesn't mean the company is real. The certificate only proves "the server has been authorised by whoever owns the domain". It says nothing about who that owner actually is.
HTTPS proves the postman didn't open the envelope. It doesn't say anything about the person who sent the letter.

How to actually check if a site is trustworthy

The padlock is necessary, but not sufficient. If you want to know whether a site is who it claims to be, look at:

  • The domain name itself. Is it spelled exactly the same as the brand you expected? Scammers love paypaI.com (with a capital I instead of an L).
  • How you got there. Did you type the URL yourself, or click a link in an email? The latter is much riskier.
  • Whether anything's asking for credentials it shouldn't. Your bank won't email you a link to a login page. Neither will HMRC, the NHS, or any reputable charity.

For your own site

If you're running a community website:

  • You absolutely need a certificate. Browsers now warn users away from sites without one. Use Let's Encrypt: it's free and automated. Almost every host offers one-click installation.
  • Make sure http:// redirects to https://. Otherwise people can still arrive at the unencrypted version of your site without realising.
  • Set up auto-renewal. Certificates expire every 90 days; the day yours does, the site goes down with a scary error message.
  • Don't pay for "Extended Validation" or "Organization Validation" certificates. Browsers stopped distinguishing between them years ago, and the padlock looks identical.

The bottom line

An SSL certificate is a seatbelt: necessary, easy to fit, and useless on its own if you're driving the wrong way down a motorway. Make sure your site has one, and then carry on with the actual work of keeping it secure.

If you'd like us to check whether yours is set up correctly, and how the rest of your site stacks up, tell us about your site and we'll come back within a couple of working days.

Back to all posts