SSL certificate for websites

First, a clarification: the problem is not that you are going to be penalized for not using HTTPS, you are going to be penalized for not using HTTPS on pages where the user is going to enter private information (eg passwords, credit cards, accounts). banking...)

And the penalty is not in indexing for not using HTTPS (although it is something that Google has taken into account since at least 2014), but the Chrome browser will show a message to the user indicating that the page is not secure and that their data will be sent in an unsafe way (something that will affect negatively because it will scare some users). If your visitors use Firefox or IE/Edge they won't see that warning.

What is SSL certificate? And what is it for?

An SSL certificate is a small file associated with a cryptographic key of a company or organization, which is installed on a server and allows secure connections to be created between that server and the client's browser.

SSL certificates allow to protect the information of users and clients because they are used to encrypt the communication and the data sent, decrypting it at the destination and avoiding possible threats such as the Man-in-the- Middle attack .

In your particular case, and as mentioned above, you have received the email because you have (at least) one page in which the user is going to enter sensitive information and it is going to be done in an insecure way (with HTTP instead of HTTPS). As it is not HTTPS, that information will not be encrypted and could be read by an attacker.

An important fact to keep in mind: that the connection is HTTPS does not mean that you can trust all the data you receive from the user. The user could be the attacker, so you should continue to implement methods to prevent other types of attacks (eg SQL injection, XSS).

How do I implement it on my website for the security of all users?

This will depend on the type of server and web service you have. Normally, your web hosting provider will also offer security services and will allow you to contract and buy SSL so that your pages are secure and if your server is shared, they will do it for you.

If you have your own server, then it may be up to you to do it and it will be different depending on the web server you have installed. On the GoDaddy page you can find guides on how to do it in IIS or Apache .

Once you have the SSL certificate installed and configured, you can now serve your pages over HTTPS (you may need to make some changes to the web.configor .htaccessto put a redirect from HTTP to HTTPS).

To obtain the certificate you will have to contact your hosting provider (usually it is offered as a paid service) they can install it on the server. Once installed on the server you will have to redirect all your traffic from http to https normally through htaccess

This is a certificate that encrypts the communication between the client and your website, but these have a cost, since Google penalizes them, I think that email is more SPAM than anything else, I doubt very much that Google will do this