Subscribe to the Non-Human & AI Identity Journal

When should a website use SSL certificates instead of relying on plain HTTP?

A website should use SSL certificates whenever it handles logins, account recovery, forms, checkout, or any other exchange of sensitive data. If the site collects credentials, personal information, or payment details, encryption is part of the baseline trust model. Static pages can be lower risk, but HTTPS is still the safer default for most public sites.

Why This Matters for Security Teams

The real question is not whether HTTPS is nicer than HTTP, but when plaintext exposure becomes unacceptable for a business workflow. Once a site handles credentials, password resets, payment data, profile changes, or any request that could be replayed or altered in transit, encryption is part of the trust boundary. Guidance from NIST SP 800-53 Rev 5 Security and Privacy Controls treats transport protection as a baseline control, not an optional enhancement.

Plain HTTP leaves data visible to intermediaries and makes session hijacking, tampering, and credential capture materially easier. Even for “simple” public pages, modern browsers increasingly mark unsecured sites as unsafe, which erodes user trust before any incident occurs. NHIMG research on The Critical Gaps in Machine Identity Management report shows certificate operations are often weakly managed, with only 38% reporting automated certificate lifecycle management. In practice, many security teams discover the cost of weak transport security only after browsers, users, or attackers have already made the risk visible.

How It Works in Practice

SSL is the old term; in current practice, websites use TLS certificates to enable HTTPS. The certificate proves domain control and lets the browser negotiate encrypted traffic, which protects confidentiality and integrity in transit. For login pages, checkout flows, account recovery, and any authenticated session, HTTPS should be mandatory. For purely informational sites, plaintext may still function technically, but current guidance suggests HTTPS anyway because mixed content, link rewriting, and passive observation are common failure points.

Implementation is usually straightforward:

  • Issue a certificate from a trusted certificate authority and install it on the web server or load balancer.
  • Redirect all HTTP requests to HTTPS and enable HSTS once the site is stable.
  • Renew certificates automatically and monitor expiry to avoid outages.
  • Make sure every asset on the page, including scripts and images, is also loaded over HTTPS.

For organizations that manage many domains or subdomains, certificate lifecycle and ownership matter as much as encryption itself. NHIMG’s machine identity management research highlights how often teams rely on manual tracking, which is why certificate expiry remains a leading cause of outages. Operationally, this aligns with NIST expectations for controlled access, integrity, and reliable service delivery, and it is reinforced by Cloudflare’s TLS overview as a practical baseline for modern web delivery.

These controls tend to break down in environments with many unmanaged subdomains, legacy appliances, or externally hosted sites where certificate ownership and renewal are not clearly assigned.

Common Variations and Edge Cases

Tighter transport security often increases operational overhead, requiring organisations to balance encryption coverage against certificate management complexity. A public brochure site with no forms is lower risk than a portal handling authentication, but “lower risk” is not the same as “safe to leave on HTTP.” The main tradeoff is maintenance, not feasibility.

There is no universal standard that says every page must be encrypted for every scenario, but best practice is evolving toward HTTPS everywhere because the boundary between “static” and “interactive” content is often blurred by analytics, chat widgets, embedded forms, and third-party scripts. Sites serving login, checkout, or account recovery should never rely on plain HTTP, and even internal admin interfaces should use TLS because they are frequent targets for credential theft and session replay.

Edge cases matter. Local development, isolated test environments, or air-gapped systems may use HTTP for convenience, but those are controlled exceptions, not production guidance. For public websites, a certificate is not just about compliance optics, it is about preventing passive interception and making browser security warnings work in your favor. The DeepSeek breach and other secret exposure incidents show how quickly attackers exploit weak trust controls once credentials or backend access are exposed. For transport security decisions, OWASP Top 10 remains a useful lens for understanding how insecure transmission compounds broader web risk.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.DS-2 Protects data in transit, which is the core reason to prefer HTTPS over HTTP.
OWASP Non-Human Identity Top 10 Highlights secret exposure and insecure transport paths that often precede identity compromise.
NIST SP 800-63 Digital identity guidance depends on secure channels for login and recovery workflows.
NIST AI RMF MAP Risk mapping should include transport-layer exposure and browser trust impacts.
NIST Zero Trust (SP 800-207) Zero trust assumes untrusted networks, making plaintext transport inconsistent with the model.

Treat plaintext transport as a credential exposure risk and enforce encrypted delivery for all authenticated flows.