SSL/TLS encryption: keeping form data in transit secure

Home / Everything About / Everything About Forms / SSL/TLS encryption: keeping form data in transit secure

When someone submits a form on an HTTP (not HTTPS) website, their data travels across the internet in plain text. Anyone on the network between them and your server can see what they typed, including passwords, credit card numbers, and email addresses. This is not theoretical. Packet sniffing tools are freely available, and attackers actively intercept unencrypted form submissions.

SSL/TLS encryption is the technology that protects form data while it travels from the visitor's browser to your server. It is the most fundamental form of form security, and it is non-negotiable.

What you'll learn: How HTTPS encryption works, the difference between SSL and TLS, what an SSL certificate is and why you need one, how to verify that your form is properly encrypted, and what to do if HTTPS is not working.

What is HTTPS and how does it encrypt data?

HTTPS is the secure version of HTTP (Hypertext Transfer Protocol). The "S" stands for Secure. HTTPS uses SSL/TLS (Secure Sockets Layer / Transport Layer Security) to encrypt all data sent between the visitor and your server.

Here is what happens when a visitor submits a form over HTTPS:

  1. The visitor fills out and submits the form. Their browser collects the data.
  2. The browser establishes an encrypted connection. It contacts your server and verifies the SSL certificate (more on this below).
  3. Both sides agree on encryption settings. They negotiate the strongest encryption available that both support.
  4. All data is encrypted before being sent. The form data is scrambled using the negotiated encryption.
  5. Your server receives the encrypted data. It uses its private key to decrypt the data so it can be read.

To anyone eavesdropping on the network, the data appears as random characters. They cannot read it without the encryption key, which only your server has.

The difference between SSL and TLS

SSL (Secure Sockets Layer) and TLS (Transport Layer Security) are related technologies that do the same job. SSL was the original standard, first released in 1995. TLS is the modern, improved version that replaced it.

  • SSL 3.0: The last version of SSL, released in 1996. Outdated and no longer secure.
  • TLS 1.0: First version of TLS, released in 1999. Still works but older.
  • TLS 1.2: Released in 2008. Still widely used and considered secure.
  • TLS 1.3: Released in 2018. The current standard, faster and more secure.

Modern browsers and servers use TLS 1.2 or TLS 1.3. When people say "SSL certificate," they usually mean a certificate used for TLS encryption. The terms are often used interchangeably, but TLS is the actual technology in use today.

What is an SSL certificate?

An SSL certificate is a digital file that your web server uses to prove its identity and establish an encrypted connection. It contains:

  • Your domain name: Which domain the certificate is valid for (www.example.com)
  • Your organization information: Company name, address, etc.
  • A public key: Used by visitors' browsers to encrypt data
  • A digital signature: Proof that a trusted authority verified this certificate
  • Expiration date: When the certificate expires and needs to be renewed

The certificate is like a digital ID that proves your server is legitimate.

How SSL certificates are verified

When a visitor visits your HTTPS website, their browser checks your SSL certificate to make sure it is legitimate:

  1. Your server sends its certificate. The browser receives it.
  2. The browser checks the digital signature. Is this certificate signed by a trusted certificate authority?
  3. The browser verifies the domain. Does the certificate match the domain the visitor is visiting?
  4. The browser checks the expiration date. Is the certificate still valid?

If any of these checks fail, the browser shows a warning. If everything passes, the browser displays a padlock icon (or a secure indicator) telling the visitor that the connection is encrypted and the site is legitimate.

Types of SSL certificates

Domain Validated (DV) certificates

The basic certificate. The certificate authority verifies that you own the domain but does not verify your organization. Cheapest option. Good for most forms.

Organization Validated (OV) certificates

The authority verifies both the domain and your organization details. More expensive than DV, provides more trust. The browser shows your organization name in the certificate details.

Extended Validation (EV) certificates

The authority performs extensive verification including legal checks. Most expensive. Shows the organization name directly in the browser address bar. Mostly used by financial institutions and high-security sites.

Wildcard certificates

Valid for a domain and all its subdomains (e.g., a wildcard for *.example.com covers mail.example.com, blog.example.com, etc.). Useful if you have many subdomains with forms.

Multi-domain (SAN) certificates

Valid for multiple different domains in one certificate. Useful if you run multiple websites with forms.

Getting an SSL certificate

Certificate authorities

You buy certificates from certificate authorities (CAs) like:

  • Comodo (now Sectigo)
  • GoDaddy
  • DigiCert
  • Let's Encrypt (free, widely used)

Prices range from free (Let's Encrypt) to hundreds of dollars per year (EV certificates).

Through your web host

Most modern web hosts (including WEMASY) include SSL certificates automatically. You do not need to buy or manage them separately. They handle renewal automatically.

Installation and renewal

SSL certificates expire and need to be renewed. Most hosts handle this automatically. Check your certificate expiration date occasionally to make sure it is still valid. If it expires, your site shows a security warning and visitors may not trust it.

Verifying that your form is properly encrypted

Check the URL

Your form page should use HTTPS, not HTTP. Check the address bar.

GOOD: https://www.example.com/contact

BAD: http://www.example.com/contact

Look for the security indicator

In modern browsers, a secure HTTPS connection shows a padlock icon or a "Secure" label in the address bar. Click it to see the certificate details.

Check the certificate validity

Click the padlock and view the certificate. Look for:

  • Is it valid for your domain?
  • Has it expired?
  • Who issued it (the certificate authority)?

Use an online SSL checker

Tools like SSLLabs.com let you enter your domain and get a detailed report on your SSL configuration. This checks whether you are using the latest encryption standards and identifies any weaknesses.

Common HTTPS and SSL problems

Mixed content warning

Your form page is HTTPS, but some resources (images, scripts, stylesheets) are loaded over HTTP. Browsers warn visitors that the page is not fully secure. Fix this by making all resources HTTPS.

Certificate mismatch

The certificate is for www.example.com but the visitor is on example.com (no www), or the opposite. Browsers show a security warning. Fix this with a wildcard certificate or by redirecting one version to the other.

Expired certificate

Your certificate expired and needs renewal. Browsers show a prominent security warning. Visitors may not trust your form. Renew the certificate immediately.

Self-signed certificate

Your server is using a certificate you created yourself instead of one from a trusted authority. Browsers do not trust it and show a warning. Never use self-signed certificates on public forms. Buy or use a certificate from a recognized authority.

HTTPS is not just for forms

Every page on your website should use HTTPS, not just your form pages. This protects all visitor data and tells Google that your site is secure. Redirect all HTTP traffic to HTTPS so visitors are always protected.

What WEMASY does for SSL/TLS encryption

Every WEMASY website and every form built with WEMASY uses HTTPS by default. Your forms run on secure connections automatically. WEMASY manages SSL certificates for you, including automatic renewal. You never need to buy, install, or manage certificates. Encryption is built in and always active.

Learn more about your security setup in your account settings or on the pricing page.

Frequently asked questions

Does HTTPS make my website slower?

With WEMASY's <a href="/website-builder" target="_blank">website builder</a>, you can set this up directly on your website.

Is an expensive EV certificate better than a free Let's Encrypt certificate?

What if someone still submits their credit card number even though the form is HTTPS?

Can HTTPS be hacked?

Do I need HTTPS if I am only collecting names and emails?