SSL and HTTPS explained — encryption, trust, and the most common mistakes

SSL and HTTPS explained — encryption, trust, and the most common mistakes
Table of contents 11 sections

What SSL and TLS technically do

SSL stands for Secure Sockets Layer, TLS for Transport Layer Security. Technically the two terms are practically congruent today — SSL is the historical designation, TLS the modern standard. When someone says "SSL certificate", they almost always mean a TLS certificate. The industry has kept the old name because everyone knows it.

What the technology does can be described in one sentence: it encrypts the connection between your visitor's browser and your web server so that no one in between can read the content. If someone sits in a public Wi-Fi — at the café, at the station, at the hotel — the Wi-Fi operator can see which servers your visitor communicates with, but not what they enter or read there.

A second function comes with it: identity confirmation. The certificate tells the browser that it is actually communicating with the server belonging to the typed-in domain. No one can push themselves in between and pretend to be your server without the browser noticing.

Stefan, a plumbing and heating contractor in Carinthia with 14 employees, ignored the topic for a long time. His site ran for years without HTTPS, which was unnoticed until 2017 and became visible from 2018 onwards as a prominent browser warning. When a customer called and said "I'm being told your website is not secure", the pressure to act became concrete. The switch took one morning, the impression on visitors changed immediately.

Why HTTPS is mandatory today

Three reasons why HTTPS is no longer negotiable.

First, the browser display. Chrome, Firefox, Safari, and Edge have shown a visible "Not secure" hint in the address bar for every page without HTTPS since 2018. With forms an additional warning comes up as soon as the visitor clicks into an input field. That is not a detail — that is the first thing your visitors see.

Second, the Google ranking. HTTPS has been a ranking factor since 2014, since 2018 a clearly weighted one. Sites without HTTPS rank worse with comparable content. In saturated local markets — web design Villach, plumber Klagenfurt, hotel Pörtschach — that is often the difference between top 10 and page 2.

Third, the GDPR. Anyone running forms transmits personal data. Article 32 GDPR demands "appropriate measures" — including encryption of transmission. Anyone with a contact form without HTTPS has a direct GDPR violation in live operation.

The good news: HTTPS at reputable hosts costs nothing and is usually set up within an hour. If you pay money for it, you have the wrong host.

Three certificate types — DV, OV, and EV

When you dig deeper into the subject, you come across three letter combinations. They differ in how strictly the identity check was at certificate issuance.

DV — Domain Validation. The simplest and most common form. The certificate authority only verifies that you have control over the domain for which the certificate is issued. This check runs automatically, takes minutes, and is free. Visible to the visitor: the lock symbol in the address bar, no additional information.

OV — Organization Validation. Here the certificate authority additionally verifies that the company in the application actually exists — commercial register extract, telephone verification, sometimes an address check. Duration: one to five business days. Cost: typically 50 to 250 euros per year. Visible to the visitor: the lock, in the certificate detail the full company name appears.

EV — Extended Validation. The strictest variant with additional identity verification of the applying person, signature authority, and a formal contract situation. Cost: 150 to 800 euros per year, duration several business days. Until 2019, EV certificates were visible in browsers as a green address-bar strip with company name — since 2019 no modern browser shows this strip any more. The visibility that previously justified EV simply no longer exists.

Why DV is fully sufficient for most SMEs

The honest answer, which does not appear that way in many provider ads: for 95 percent of all SME sites in Austria, a DV certificate is technically and communicatively sufficient.

Encryption quality does not differ between DV, OV, and EV. All three use the same algorithms, the same key lengths, the same TLS protocol. What differs is only the check at issuance — not the finished product.

Visibility to the visitor has been practically identical for all three types since the 2019 browser update: a lock in the address bar, no additional notice. Anyone wanting to make something visible to the visitor would have to actively get them to expand the certificate in detail — which visitors never do.

OV and EV today have two specific use cases. First, regulated industries with compliance requirements — banks, some insurers, certain medical areas. Second, sites with high-value transactions where the additional trust hint in the certificate is relevant for the bookkeeping of the other side.

If you run a normal SME site, a hotel booking portal, a craftsman's presence, or an online shop up to six-figure annual turnover, take a DV certificate and save the money for more sensible investments.

Let's Encrypt and automatic renewal

Probably the most important development of the past ten years in the SSL field is Let's Encrypt — a non-profit certificate authority that has been issuing free DV certificates since 2015. As of 2026, Let's Encrypt secures a large share of all HTTPS connections on the open web[1].

Three properties make Let's Encrypt the standard choice for SME sites.

First, the price. Zero euros per year, without hidden conditions. What finances Let's Encrypt are donations from major tech companies plus the Internet Society as parent organisation.

Second, the short duration. A Let's Encrypt certificate is only valid for 90 days. What sounds like effort is in practice a security advantage: compromised certificates expire quickly, and renewal runs on every reputable hosting system fully automatically.

Third, the automation. Programs such as Certbot, or the renewal routines built into modern hosting panels, take care of the renewal autonomously, long before the old certificate expires. You notice nothing of the whole mechanism in ongoing operation.

If you have a reputable host, you get Let's Encrypt with one click. If you still pay money for a DV certificate to be issued, you are maintaining an outdated business model.

Mixed Content — the most common mistake after the HTTPS move

When a site moves to HTTPS, a new symptom often appears in the first weeks: the browser reports "Mixed Content" or shows the lock symbol as not fully secure. That happens when the page itself loads over HTTPS but individual elements — images, scripts, stylesheets — are still embedded over the old HTTP address.

Consequence: the browser blocks critical content (scripts, CSS), shows a warning, or loads the page with limited function. From the visitor's perspective: the site looks broken, even though technically everything is set up.

Three places where mixed content most commonly arises.

Image paths in the content that start with http:// instead of https://. Especially older posts written before the HTTPS move often contain hard-coded HTTP addresses.

Embedded external scripts — for instance tracking, analytics, fonts, maps. If the external source itself uses HTTP instead of HTTPS, the browser blocks it on an HTTPS page.

Hard-coded server addresses in theme or plugin settings. Some themes store the site URL including protocol — after the HTTPS move, these settings have to be updated, otherwise they keep pointing to the old HTTP variant.

Expired certificates and missing redirects

Two further mistakes that often only catch attention months after the first setup.

Expired certificates. Anyone who had a paid certificate with a one- or two-year duration and forgets the renewal suddenly has a site with a full browser warning. With Let's Encrypt certificates this practically never happens because renewal runs automatically — but with old manually procured certificates it is the most common incident.

Missing redirect from HTTP to HTTPS. Even if your site runs over HTTPS, it can still be reached via the old HTTP address if no redirect is set up. Consequence: double indexing in Google (HTTP and HTTPS version of the same content), confusion in Search Console, worse rankings.

The clean way is a permanent 301 redirect on server level: every HTTP request is automatically redirected to HTTPS. With reputable hosts a single setting, with your own server two to five lines of configuration. Anyone who does not do this runs two sites in parallel and cannot wonder that neither ranks properly.

How to check the SSL status of your site yourself

Four free tools with which you capture the status of your site in ten minutes.

The lock symbol in the address bar. If the lock is fully closed, you have a valid certificate. If it is crossed out, shows an orange triangle, or "Not secure" appears next to it, you have a concrete problem — certificate expired, mixed content, or no HTTPS at all.

Clicking on the lock symbol. Here you see who issued the certificate, when it expires, and for which domain it is valid. If the expiry date approaches and you have no automatic renewal, that is the right place for the reminder.

SSL Labs (ssllabs.com/ssltest). A free test that checks the technical quality of your SSL configuration — protocol version, key strength, cipher suites, possible vulnerabilities. A grade of A or A+ is the goal. With B or worse, concrete improvements lie open that your host or designer can implement.

The browser console (right-click "Inspect" → tab "Console"). Here you see mixed-content warnings and blocked requests. If the console is clean, your HTTPS implementation is in order.

When more than a DV certificate is sensible

Three specific setups in which OV or EV have their justification.

First, regulated industries with compliance requirements. Banks, certain insurance areas, some medical and legal applications require either legally or contractually an OV or EV variant. Anyone working in such industries usually knows it anyway.

Second, B2B sites with large, long-running contracts. If the counterpart has a compliance department that formally checks your site's certificate, OV can lower a hurdle. That is rare and concerns corporate supply chains more than SME sales.

Third, wildcard certificates for many subdomains. If you have a main site plus twenty subdomains (shop., careers., members., …), a single wildcard certificate can be cheaper than twenty individual ones. Let's Encrypt has supported wildcards for free since 2018, but the setup is technically more demanding.

For the typical SME site — main domain plus possibly www. variant — Let's Encrypt with a standard DV certificate is the right choice. Anyone needing something else for one of these three special reasons either already knows it or has a security adviser make the specific recommendation.

What has changed since 2024

Three developments that have changed the picture over the past two years.

First, TLS 1.3 as the new standard. The predecessor versions TLS 1.0 and 1.1 have been classified as insecure since 2020, TLS 1.2 remains acceptable, TLS 1.3 is the current recommendation. Modern hosts configure this automatically — anyone with a very old hosting configuration should check the TLS status.

Second, ever shorter certificate durations. Until 2020 multi-year certificates were common, since September 2020 a maximum of 397 days. The CA/Browser Forum decided in 2025 to reduce the maximum duration in stages over the coming years. Anyone using manually procured certificates does not get through without automation any more.

Third, stricter handling of mixed content. Current browsers block mixed content considerably more aggressively than two years ago. Sites that loosely embedded scripts and images in the HTTP era and never cleaned up often look broken today, without the operator noticing — because they only see the site in their own cache, which knows the old paths.

These three points together mean: SSL is no longer a "set it up once, then forget it" topic. It belongs in routine site maintenance, briefly looked at once per quarter.

Frequently Asked Questions

Do I need SSL/HTTPS even for a small business-card website?

Yes. Browsers mark HTTP pages as "Not secure", which visitors immediately see. Google ranks HTTPS sites better. Anyone running forms without HTTPS has a GDPR violation. At reputable hosts HTTPS costs nothing and is set up in an hour — there is no rational reason to do without.

What is the difference between Let's Encrypt and a paid certificate?

Encryption is identical. Differences exist in identity verification (Let's Encrypt only checks domain control, paid providers check, depending on variant, the company additionally), in duration (Let's Encrypt 90 days, others up to 397 days), and in optional add-ons such as liability insurance. For most SME sites, Let's Encrypt is fully sufficient.

How long does it take to switch a site to HTTPS?

At a reputable host with automatic Let's Encrypt: one hour, including 301 redirect and mixed-content clean-up. With a large, old site with hard-coded HTTP paths: half a day to a full day. Anyone with their own server configuration should plan external help for the setup if no experience exists with it.

What does the "Not secure" display in the browser mean?

It means the page is being accessed without HTTPS, i.e. unencrypted. Data the visitor enters could be read by third parties. With modern browsers the display appears for every HTTP page; with forms an additional warning comes up as soon as the visitor clicks into a field.

How often does an SSL certificate need to be renewed?

Let's Encrypt certificates every 90 days, fully automated. Classic DV certificates depending on provider every 397 days. OV and EV certificates also a maximum of 397 days. The maximum duration is being reduced further over the coming years for all types, which makes automation practically mandatory.

What does an SSL certificate cost in 2026?

Let's Encrypt: free. Commercial DV certificates: 0 to 60 euros per year, depending on provider. OV certificates: 50 to 250 euros per year. EV certificates: 150 to 800 euros per year. For 95 percent of all SME sites, the free Let's Encrypt certificate is the right choice.

What to check now

Open your own site, look at the lock symbol, click on it, and see when the certificate expires and who issued it. If an expiry date closer than three months is shown there and you do not know of any automatic renewal, you have a concrete date in the calendar. If you have understood SSL as the entrance ticket, you see the broader security context more clearly — the other four fundamentals are gathered in the website-security overview for SMEs, where HTTPS sits in the canon alongside updates, backups, logins, and form protection.

What is the next step?