Beyond the Padlock: What HTTPS Does and Doesn't Protect

The padlock means your connection is encrypted, nothing more. We explain certificate types, why renewal now needs automation, and the common attacks HTTPS alone will never stop.

What the padlock actually promises

HTTPS is ordinary web traffic wrapped in TLS encryption, and it guarantees exactly three things. Nobody sitting between a visitor and your server can read the data passing through, whether that is a password, a card number or the contents of a contact form. Nobody can tamper with that data in transit. And the browser has checked, cryptographically, that it is talking to the domain in the address bar rather than an impostor on the same coffee-shop Wi-Fi.

It also carries practical side benefits: Google has treated HTTPS as a ranking signal for years, browsers label plain HTTP pages 'not secure', and modern browser features such as geolocation simply refuse to work without it.

But notice what is missing from the list: nothing about whether the site itself is honest, well built or secure. Chrome quietly retired the padlock icon back in 2023 because users kept reading it as 'this site is trustworthy', when it only ever meant 'this connection is encrypted'. A convincing phishing page with a free certificate gets exactly the same treatment as your bank.

Certificate types, in plain English

Certificates differ in how thoroughly the issuing authority checks who you are, not in how strongly they encrypt. A free certificate encrypts precisely as well as one costing £300 a year, so choose based on validation needs, not marketing.

  • Domain Validated (DV): proves you control the domain, nothing more. Issued automatically in minutes, free from Let's Encrypt or ZeroSSL. Right for the vast majority of small-business sites.
  • Organisation Validated (OV): the authority verifies your company details and embeds them in the certificate. Occasionally required by corporate or public-sector procurement.
  • Extended Validation (EV): deeper vetting still. Browsers stopped showing the company name in the address bar years ago, so the visible benefit has largely disappeared.
  • Wildcard and multi-domain: one certificate covering all your subdomains, or several separate hostnames. A convenience, not a security upgrade.

Paying more buys identity vetting and sometimes warranty cover. If no customer or procurement contract demands OV or EV, a free automated DV certificate is the correct choice, not the cheap one.

Need a hand with this?

Our team delivers IT & Cyber Security for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →

Renewal is now an automation problem

Certificate lifetimes are shrinking on an agreed industry schedule. The CA/Browser Forum, which sets the rules browsers enforce, has cut maximum validity in stages: certificates now last months rather than years, and further reductions are already timetabled. The days of buying a certificate and forgetting about it for two years are over for good.

That makes manual renewal a liability. Any decent host now renews certificates automatically using the ACME protocol that Let's Encrypt pioneered, and platforms such as Cloudflare, Netlify and Vercel handle it invisibly. Your job is simply to confirm automation is actually switched on, because an expired certificate greets every visitor with a full-screen browser warning. Commercially, that is an outage.

If you manage certificates yourself, add independent monitoring. Free uptime services will watch expiry dates and email you weeks in advance, which turns a potential emergency into a diary note.

The attacks HTTPS alone won't stop

Encryption protects data while it moves. Almost every attack that actually hits small-business websites happens somewhere else entirely, at one end of the connection or the other, and HTTPS has nothing to say about any of it.

  • Phishing: criminals obtain free DV certificates too, so most fake login and delivery pages now load over perfectly valid HTTPS.
  • Vulnerable code: SQL injection, cross-site scripting and insecure file uploads all travel happily over an encrypted connection.
  • Outdated plugins and themes: the single most common way small-business sites get hacked, padlock or no padlock.
  • Injected card skimmers: Magecart-style attacks plant malicious JavaScript inside your legitimate page, and it runs over your own HTTPS.
  • Credential attacks: stolen or reused passwords simply log in through the front door, encrypted end to end.
  • Data at rest: HTTPS does nothing for a customer database sitting unprotected on a compromised server.

The pattern is clear: the padlock defends the pipe, not the premises. Attackers know most sites have encryption these days, so they aim at the software, the passwords and the people instead.

What covers the gaps

Treat HTTPS as one layer in a short stack of defences. None of these is exotic, and most cost nothing but a little setup time.

  • HSTS tells browsers never to attempt a plain HTTP connection to your domain, closing downgrade tricks.
  • A Content Security Policy restricts which scripts are allowed to run on your pages, blunting skimmers and injected code.
  • A web application firewall filters known attack patterns before they reach your site; Cloudflare's free tier includes one.
  • Prompt updates to CMS core, plugins and themes close the holes attackers actually scan for.
  • Multi-factor authentication on your CMS, hosting and domain registrar accounts shuts down password-based takeovers.
  • Automated off-site backups turn a compromise into a bad afternoon rather than a lost month.

Key Takeaway

HTTPS encrypts data between the browser and your server; it says nothing about whether the site itself is safe. Use a free automated certificate, since encryption strength is identical to paid ones, confirm renewal is automated because lifetimes are now measured in months, then spend your security effort where attacks actually happen: plugin updates, multi-factor authentication, a firewall and off-site backups.

A ten-minute health check

  • Type your address with http:// at the front. It should redirect instantly to https://, on both the www and bare versions of your domain.
  • Run the domain through the free Qualys SSL Labs test and aim for an A grade.
  • Check the certificate expiry date, then ask your host to confirm renewal is automated.
  • Open the browser's developer console and look for mixed-content warnings, which mean images or scripts still load over plain HTTP.
  • Confirm the subdomains you actually use, such as shop or mail, are covered as well.

None of this needs deep technical knowledge, just a routine and a calendar slot every few months. If you would rather have the whole stack checked and hardened in one pass, our team can review your certificates, headers and hosting setup together.

Work With Us

Need Help With Your Digital Strategy?

Our team of experts is ready to help. Get a free consultation and tailored proposal.