If you've ever noticed the padlock icon next to a website address in your browser, you've seen SSL in action. If your own website doesn't have that padlock — or if you're not sure — this article explains what you need to know and why it matters for your business.
We'll skip the deep technical details and focus on what SSL means in practical terms: for your customers, your search rankings, and your credibility.
What SSL Actually Does
SSL stands for Secure Sockets Layer (though the current technology is technically called TLS — Transport Layer Security). In plain language, it's encryption that protects the connection between a visitor's browser and your website's server.
Think of it like sending a letter in a sealed envelope versus a postcard. Without SSL, the information passing between your visitor and your website — including anything they type into a contact form — travels across the internet in plain text. Anyone with the right tools who intercepts that traffic can read it. With SSL, that same information is encrypted. Even if intercepted, it's unreadable.
When SSL is active on your website, the address changes from http:// to https:// — the "s" stands for secure. Browsers display a padlock icon to indicate the connection is encrypted.
Why It Matters — Even If You Don't Sell Anything Online
A common misconception is that SSL is only necessary for e-commerce sites — businesses that process credit card transactions online. That hasn't been true for years.
If your website has a contact form, you're collecting personal information: names, email addresses, phone numbers, sometimes messages describing private business matters. Under PIPEDA (Canada's federal privacy law), you have an obligation to protect personal information in your care[1]. SSL is a baseline measure for meeting that obligation.
Beyond legal requirements, there are three practical reasons every business website needs SSL:
1. Browsers Actively Warn Visitors Away from Non-HTTPS Sites
Since 2018, Google Chrome — which is the most popular browser in Canada — displays a "Not Secure" warning in the address bar for any website loaded over HTTP[2]. Other major browsers (Firefox, Safari, Edge) display similar warnings.
This warning appears before a visitor even engages with your content. For a potential customer who found you through a Google search or clicked a link from a referral, seeing "Not Secure" next to your business name is an immediate credibility problem. Many visitors will simply leave.
The warning is even more prominent when a visitor tries to interact with a form on an HTTP page. Browsers display additional alerts specifically about the risk of entering information on an unsecured page. For a business that depends on contact form submissions for leads, this is directly harmful.
Not sure if your site is properly secured? We offer free security checks for Ontario businesses — we'll tell you exactly where you stand. Get in touch.
2. Google Uses HTTPS as a Ranking Signal
Google confirmed in 2014 that HTTPS is a ranking factor[3], and its influence has only grown since. All else being equal, an HTTPS site will rank above an HTTP equivalent. When you're competing for local search visibility against other businesses in your area, every ranking signal matters.
This is particularly relevant for local Ontario businesses. The businesses you're competing with in search results — the other plumbers, accountants, restaurants, or consultants in your town — have increasingly adopted HTTPS. Not having it puts you at a measurable disadvantage in the specific searches that drive your business.
3. It Protects Your Customers' Information
This is the original purpose of SSL, and it's still the most important one. When a customer fills out your contact form, they're trusting you with their personal information. SSL encryption is the minimum standard for honoring that trust.
The risk is real, not theoretical. Public Wi-Fi networks — coffee shops, airports, hotels — are common vectors for traffic interception. A customer who fills out your contact form from a Starbucks Wi-Fi without SSL protection has their information exposed to anyone running a packet sniffer on that network. That includes their name, email, phone number, and whatever they wrote in their message.
Types of SSL Certificates
SSL certificates come in several types. For most small businesses, the distinctions that matter are:
- Domain Validated (DV) — Verifies that you control the domain. This is the standard for most small business websites and is perfectly adequate. Let's Encrypt provides DV certificates at no cost[4].
- Organization Validated (OV) — Includes verification of your business identity. Provides slightly more assurance but isn't visually different to visitors in most browsers.
- Extended Validation (EV) — The most rigorous verification. Historically displayed a green bar with the company name. Modern browsers have largely eliminated this visual distinction, making EV less relevant for small businesses.
For a small business website, a properly configured DV certificate provides the encryption, browser trust, and SEO benefit you need. The key is that it's correctly installed, covers your full domain (including www and non-www versions), and automatically renews before expiration.
Common SSL Problems
Having an SSL certificate isn't quite enough — it needs to be properly configured. Common issues include:
- Expired certificates — SSL certificates have expiration dates. If yours expires and isn't renewed, visitors see a full-page browser warning that looks alarming. Automated renewal avoids this entirely.
- Mixed content — Your pages load over HTTPS, but some images, scripts, or stylesheets still load over HTTP. This triggers a "partially secure" warning and can break page functionality.
- Missing redirect — Your HTTPS version works, but the HTTP version doesn't automatically redirect to it. This means some visitors and search engines still access the insecure version.
- Incomplete chain — The certificate is installed, but intermediate certificates are missing. Some browsers will still show a padlock, but others won't — leading to inconsistent warnings.
These are all configuration issues that a competent web host or developer resolves during setup. If your hosting provider can't explain how they handle these, that's worth noting. For a deeper look at security considerations, see our guide to website security basics for small businesses.
SSL is included as standard. Every Heartwood Digital hosting plan includes a properly configured SSL certificate with automatic renewal — no extra charge. See our pricing.
What You Should Do
Check your own website right now. Visit it in Chrome and look at the address bar. If you see a padlock, your SSL is active. If you see "Not Secure," you need to act on this promptly — it's affecting your credibility, your search rankings, and your customers' data security every day it's unresolved.
If your SSL is active, you can verify it's properly configured using a free tool like SSL Labs (ssllabs.com/ssltest). Enter your domain and look for an A rating. Anything less means there are configuration issues worth addressing.
All websites built and hosted by Heartwood Digital include properly configured SSL with automatic renewal as part of our managed hosting. It's not an add-on or an extra charge — it's a baseline security requirement that we consider non-negotiable. SSL is just one item on the list — see our complete small business website checklist for Ontario to make sure everything else is covered too.
Heartwood Digital is 100% Canadian-owned and operated, with hosting infrastructure right here in Ontario. If you have questions about your current SSL setup, we're happy to take a look.
Sources
- Government of Canada, "Personal Information Protection and Electronic Documents Act" (2000)
- Chromium Blog, "A Secure Web Is Here to Stay" (2018)
- Google Search Central, "HTTPS as a Ranking Signal" (2014)
- Let's Encrypt, "About Let's Encrypt"