Basically, ‘http’ is unencrypted, ‘https’ is encrypted. But in order to actually be properly safe, you need to know that the server really is who they say they are. Otherwise, I could sit between you and the server, intercept your connection, say ‘yeah, I’m the server!’ and to the server say ‘yeah, i’m Visitor X!’ and just proxy your stuff, and see everything anyway.
So, every (properly configured) HTTPS site has a certificate, issued by a Certificate Authority (CA). Essentially, the site owner generates a private-public keypair, sends the public part to the Certificate Authority. The CA does some checks to make sure they are who they say they are, and signs their certificate.
Now, where things can go wrong:
- The certificate isn’t signed by a CA that your browser trusts.
- The certificate is for the wrong domain.
In this case, it’s #2. If you click on the Advanced link, you can see the explanation:
“This server could not prove that it is hampsteadresearch.com; its security certificate is from *.orangewebsite.com. this may be caused by a misconfiguration or an attacker intercepting your connection”.
In this case, they just never set their site up for HTTPS, yet you followed an HTTPS link to their site. I.e., someone screwed up.
Essentially, Jacco and Charlotte couldn’t organise a piss-up in a brewery.
And we’d recommend caution when browsing their site.