The padlock is a promise, not decoration
When a browser shows a padlock next to a web address, it's confirming two specific things: the connection between the visitor's browser and the server is encrypted, and the server has proven its identity with a certificate issued by a trusted authority. Neither of those things is automatic — both depend on SSL (technically its successor, TLS) being correctly configured.
What happens in the handshake
When a browser connects to a site over HTTPS, it performs what's called a TLS handshake before any page content loads. The server presents its certificate, the browser checks it was issued by a trusted authority and hasn't expired, and the two sides agree on an encryption key used only for that session. All of this happens in a fraction of a second before the page even begins to render.
Once the handshake completes, everything sent between browser and server — form submissions, login details, page content — is encrypted in transit, meaning anyone intercepting the connection sees scrambled data rather than readable text.
Why it matters beyond the padlock icon
Search engines treat HTTPS as a ranking signal, so an unencrypted site is at a measurable disadvantage before a visitor even arrives. Browsers also actively warn visitors when a site lacks a valid certificate, which is enough to make many people leave immediately rather than proceed.
Beyond search and trust signals, SSL is a genuine security requirement any time a site collects information through a form — even something as simple as a newsletter signup involves data that shouldn't travel unencrypted.
Free certificates changed everything
SSL certificates used to cost money and require manual renewal, which is part of why unencrypted sites were common for years. Let's Encrypt, a free and automated certificate authority, changed that — most modern hosts, including Traxio, issue and automatically renew SSL certificates for every domain at no cost, with no manual steps required from the site owner.
Checking your own site is set up correctly
Beyond the padlock icon, worth checking: that the non-secure http:// version of your domain redirects to https:// automatically, and that there's no 'mixed content' warning, which happens when a secure page loads an image or script from an insecure address. Both are common oversights after a site migration and both are usually a quick fix once identified.
Discussion is coming soon. In the meantime, if you have a question about this article, get in touch or open a ticket from your client area.