Why and How for SSLs and your website

Published onMonday 16, October 2017

Secure sites. HTTPS and SSL. A topic more and more site owners and maintainers are having to work with. For some, this is a great thing and others it is either nerve-wracking or confusing. Luckily, for us all, getting an SSL and implementing full site HTTPS is becoming easier.

Why does an SSL matter?

First. Let's talk about why having an SSL and wrapping your site in HTTPS matters. For instance, there are people who think it is fine to have their e-commerce site behind regular HTTP because their payment gateway is PayPal.

Beyond security, consider the fact that in Google announced in 2014 that HTTPs would be used as a ranking signal. Three years ago Google made the push for a more secure web by making this choice. According to the Internet, Bing has stayed away from this sort of decision. But, if you care (or your customer) cares about SEO, I hope this helps make a case.

Google's search rankings are not your only worry. Chrome and FireFox are starting to alert users that the site is not secure if they fill in sensitive form data: passwords, credit card fields. The Google Security Blog announced the move last year, and Firefox did the same in early 2017.

Isn't HTTPS slow?

Years ago it was thought that SSL was slow due to the handshakes involved. The fact is that it is actually faster. If you do not believe me, go to http://www.httpvshttps.com/.

Getting an SSL is easier, now.

I remember when having to go purchase and then install and SSL was a drag. It cost extra money, even if a paltry amount is broken down to monthly costs (~$5 a month), and required time to install. Thanks to the service Let's Encrypt it has become easier to get an SSL certificate. Let's Encrypt is a free and open certificate authority (CA), which means they can provide signed and authorized SSL certificates. You won't get Organization Validation (OV) or Extended Validation (EV) certificates; but, generally, you do not need those.

Let's Encrypt logo

Let's Encrypt is great, but it requires you to run some tools to help automate certificate renewal and installation. Luckily, there are more hosting platforms and CDNs providing free or bundled SSL certificates.

Let's roll through some options. Please comment and share corrections or services that I have missed! The following items are services I use or found to be great on cost and ease of use.

Content Delivery Networks (CDN)

Putting a CDN in front of your website is one of the simplest ways to get your site wrapped around HTTPS without having to change your server or hosting information. This is your best option if your own servers and don't want to mess with certificates directly or your current host does not provide free/cheap SSL certificate support. It also improves visitor performance of your website.

CloudFlare is the CDN solution I use for this site in order to provide fully wrapped HTTPS support. CloudFlare has a great free plan that provides DDoS mitigation, CDN, SSL certificate and some other goodies. This is my go-to solution.

Hosting providers

More and more hosting providers are providing free SSL certificates. I've done some basic research, but these are based on services I have used or are familiar with.

Pantheon is a managed hosting service for Drupal and WordPress. Starting at $25 a month you get a managed hosting service, three environments (development, test, production), and a CDN with free SSL. If you want to install a custom SSL certificate, though, you will need to jump up to the Professional offering at $100 a month. Before Pantheon announced their global CDN and free SSL I had never considered them due to the price of the monthly service when you have an SSL. Next to using CloudFlare, it's your best bet for the "hands off" and ease of mind approach.

Platform.sh is my favorite and general go-to for price and value. You can host your PHP, Node.js, Python, and Ruby projects.  Plans start at $50 for a production site, which seems a bit expensive. But that gets you an automatic free SSL and you can still install custom SSL certificates without additional charge. You also get other goodies such as the ability to use Solr, Redis caching and more.

Gandi.net is a hosting provider that was brought to my attention when finding homes for ContribKanban. For $7.50 a month you can get their Simple Hosting with free SSL. You can run your PHP, Node.js, Ruby or Python apps on their hosting powered by a web administrative interface.

Using Let's Encrypt itself

You can of course use Let's Encrypt yourself on your own hosting - using certbot on your DigitalOcean droplet. Or just generating certificates and adding them to your existing host.