If a customer types your address into Chrome and sees “Not Secure” in red or grey next to the URL, they don’t need to know what that means. They just leave. Browsers have made the warning more aggressive every year, and to a non-technical customer it reads like “this site is dangerous.” The fix takes about ten minutes and costs effectively nothing — but a surprising number of small-business sites still don’t have it in place.
What SSL actually is
SSL (Secure Sockets Layer, now technically called TLS) is the technology behind the little padlock icon next to your URL. It encrypts the connection between a visitor’s browser and your website’s server, so anything they type — a contact form, a phone number, a credit card — can’t be intercepted in transit.
A site with SSL is loaded over https://. A site without it is loaded over http://. The “s” is the whole difference, and it’s also the difference between “the padlock” and “Not Secure.”
What customers actually see
Chrome, Safari, Firefox, and Edge now all display some version of a warning on non-https sites. In most browsers it’s a grey or red “Not Secure” label right next to the URL. On forms, the warning gets louder — sometimes overlaying the input fields with “your information is not private.”
For a customer who’s comparing three roofers or three plumbers, that warning is enough. They’ll close the tab and call one of the other two. They will not stop to investigate, ask, or assume good faith.
Why Google also penalizes it
Google has officially used HTTPS as a ranking signal since 2014. Sites without SSL get pushed down in search results. The penalty is small on its own, but it stacks with everything else — slow load time, weak schema, missing reviews — and a non-secure site is usually missing a lot of those too.
Google also flags non-secure pages directly inside its search results in some cases, which means a percentage of customers won’t even click through.
Why so many old small-business sites still don’t have it
SSL used to cost real money — annual fees of $50 to $300 — and required a manual install on the server. So a lot of websites built before about 2018 simply didn’t bother. Today, SSL certificates are free through services like Let’s Encrypt, and most quality hosts install them automatically. There’s no longer any technical or financial reason for a site to be insecure. It’s almost always a sign that nobody has touched the site in years.
How it gets fixed
If your host is modern (most decent WordPress hosts in the last five years), enabling SSL is usually a single setting in the hosting control panel. Once the certificate is installed, the site needs a redirect set up so all http:// requests automatically forward to https:// — otherwise customers can still land on the insecure version.
If you’re on cheap shared hosting that doesn’t support free SSL, that’s a separate problem worth solving. But the “Not Secure” warning is the most fixable trust killer in small-business web — and the cheapest one to ignore.
Want a website that actually does this?
$100 to build. $25/month to keep it running. No contracts, free homepage mockup before you pay a cent.
Get My Free Homepage Mockup