SSL & HTTPS Explained — Why Your Site Bleeds Customers Without Them

In 2026, any site not running on HTTPS is a site losing visitors and sales. Browsers flag it as "Not secure," Google ranks it lower, and customers flee a checkout without the green padlock. Here's a no-jargon breakdown — and how to pick and install the right certificate for your Saudi site.

What is an SSL certificate?

A digital certificate that proves your site "is who it claims to be" and encrypts data between browser and server using asymmetric cryptography. Once active, the URL becomes https:// instead of http://, with a padlock in the address bar.

SSL vs TLS — what's the difference?

Technically, the modern protocol is TLS (Transport Layer Security). "SSL" is the common marketing term. Versions:

• SSL 1.0, 2.0, 3.0: old and insecure (don't use)
• TLS 1.0, 1.1: deprecated since 2020
• TLS 1.2: widely supported (minimum recommended)
• TLS 1.3: fastest and most secure (current standard)

Make sure your host supports TLS 1.3. All Best Host servers run TLS 1.3 by default.

How HTTPS works (in plain terms)

1. Client Hello: browser requests a secure connection.
2. Server Hello: server sends its CA-signed certificate.
3. Validation: browser checks the certificate is valid and trusted.
4. Key exchange: a temporary session key is established.
5. Encryption: all subsequent data is encrypted with that key.

All in under 100 ms. TLS 1.3 trimmed it to "1-RTT" (half the previous time).

Certificate types

Type	Verifies	Yearly cost	When to pick
DV (Domain Validation)	Domain ownership only	Free – SAR 200	Brochure sites, blogs
OV (Organization Validation)	Company exists legally	SAR 300–800	Mid-size companies, B2B
EV (Extended Validation)	Full company identity	SAR 1,500–4,000	Banks, insurers, government
Wildcard	Domain + all subdomains	SAR 200–1,500	SaaS platforms, multi-branch
Multi-Domain (SAN)	Several distinct domains	SAR 400–2,000	Multi-brand companies

Small business: free DV (Let's Encrypt) is enough. Larger stores: OV adds visual trust. Banks and finance: EV displays the company name in the address bar. SaaS: Wildcard is required to cover *.yoursite.sa.

Deeper dive in Wildcard vs single SSL.

Why HTTPS matters

1. Security

Without HTTPS, anyone on the same WiFi (a coffee shop) can see passwords and sensitive form data submitted to your site. This is a Man-in-the-Middle attack. Encryption stops it cold.

2. SEO

Google confirmed back in 2014 that HTTPS is a ranking factor. HTTP sites get a quiet downrank even if content is better. Small but real. See Saudi SEO fundamentals.

3. Trust

Chrome, Safari, and Firefox loudly mark HTTP as "Not secure." Conversion rates drop ~30% the moment users see that warning. For stores, the disaster is bigger — no one types a card on a "Not secure" site.

4. Modern features that require HTTPS

• HTTP/2 and HTTP/3 (much faster)
• Service Workers and PWA (installable web apps)
• Web Push Notifications
• Geolocation API
• Camera/Microphone APIs
• WebAuthn (passwordless login)
• Payment Request API

5. Saudi payment gateway requirement

Mada, Apple Pay, STC Pay refuse to work on HTTP. Without SSL, you can't accept payments.

6. PDPL and ZATCA requirements

Saudi PDPL requires data encryption in transit. No SSL = potential violation.

How to install SSL

Option 1: Free Let's Encrypt (recommended for most)

Most cPanel setups enable Let's Encrypt with one click and auto-renew every 90 days. Steps:

1. Log into cPanel → SSL/TLS Status
2. Pick your domain
3. Click Run AutoSSL
4. Wait minutes

On Best Host, Let's Encrypt is enabled by default.

Option 2: Paid certificate

Buy from your host or from Sectigo/DigiCert/GeoTrust:

1. Generate a CSR (Certificate Signing Request) on your server
2. Request the certificate from the issuer
3. Verify domain ownership (via email, DNS, or file)
4. Install the issued certificate

Option 3: Cloudflare-issued certificate

If your site sits behind Cloudflare:

• Cloudflare Universal SSL: free
• Cloudflare Advanced Certificate Manager: $10/month

After install: 5 must-do steps

1. Redirect HTTP to HTTPS

Apache .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Nginx:

server {
    listen 80;
    server_name example.sa www.example.sa;
    return 301 https://$host$request_uri;
}

2. Update all internal links

From http:// to https://. For WordPress, use Better Search Replace.

3. Update sitemap and Search Console

Resubmit sitemap.xml as HTTPS. Add the site as a new property in Search Console.

4. Check for mixed content

Any image or script loaded via HTTP on an HTTPS page hides the padlock. Use Chrome DevTools → Console.

5. Enable HSTS

HTTP Strict Transport Security forces browsers to always use HTTPS:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Common mistakes

1. Forgetting renewal (auto for Let's Encrypt, but verify)
2. Mixing HTTPS and HTTP content on the same page (mixed content)
3. Expired certificate → scary browser warning
4. Incomplete certificate chain (missing intermediate)
5. Certificate name mismatch with the domain (CN mismatch)
6. Using TLS 1.0/1.1 (deprecated)
7. Keeping http links in sitemap (Google sees them as separate pages)

How to test your certificate

1. SSL Labs Test (free)

https://www.ssllabs.com/ssltest/ — comprehensive test that grades A to F.

2. Why No Padlock

https://www.whynopadlock.com/ — quickly finds mixed-content issues.

3. Browser DevTools

Open the page → click the padlock → view certificate details.

What different failures mean

• NET::ERR_CERT_AUTHORITY_INVALID: certificate isn't signed by a trusted CA
• NET::ERR_CERT_DATE_INVALID: certificate expired
• NET::ERR_CERT_COMMON_NAME_INVALID: certificate name doesn't match the domain
• ERR_SSL_PROTOCOL_ERROR: TLS protocol issue
• ERR_CONNECTION_REFUSED: server isn't listening on port 443

Bottom line

SSL/HTTPS isn't optional — it's a baseline standard for security, SEO, trust, and modern technical features. On Best Host hosting, free auto-renewing SSL is part of every plan. Elsewhere, enable Let's Encrypt today, or contact us for help with installation and configuration.