combo lockThis week we implemented a feature that gives all of our shared hosting accounts a free SSL certificate from Let's Encrypt (https://letsencrypt.org/). As long as the DNS for your domain references the IP address of our server, existing customers should have a valid certificate not only for their main domain, but for any subdomains.

This means that https://your-website should already be working. The HTTPS in that URL tells your browser to request a secure page, where the usual HTTP protocol is not encrypted. However in order to take full advantage of HTTPS you may need to make some changes to your site's configuration. More on this below.

The Benefits of Using HTTPS/SSL

SSL has always been a good idea for sites that have controlled access. If users can log in to your site with a password, then they should be doing that over the secure HTTPS protocol. Regular HTTP connections send the password in plain text, so anyone who intercepts the communication has the user's login data. That's obviously not a good thing.

The same is true for sites that collect financial information. If you have a form that collects credit card information, your cardholder agreement probably requires that the data is sent over SSL.

HTTPS and Search Rank

About two years ago, Google announced that they were using HTTPS as a "lightweight" ranking signal.[link] If your search rank is really important to the success of your business, switching to HTTPS should help.

HTTPS and Browsers

Web browsers have long had an inidcation of whether or not a site was using a HTTPS connection, and whether or not the underlying SSL certificate was current and valid. Over the years, these indicators have become more prominent so users can easily see whether or not their connection was encerypted. Last month, the Chromium project announced that starting January 2017, their browser (which is the base for Google's Chrome browser) will start labelling some HTTP connections as not secure[link], like this:

chrome-2017

They also mentioned that this is part of a long term plan to mark all HTTP pages as non-secure, like this:

chrome-eventual

It's not unreasonable to assume that other browsers will follow suit, so it's better to switch to HTTPS now.

Updating Your Site

In most cases, switching to HTTPS is straightforward. Joomla users can change the "Force HTTPS" setting to "Always". Wordpress users can change their site's URL options. These changes will get you the main part of your page over HTTPS, but you might see warnings that "parts of your page" are insecure. this might be links to your images that use HTTP (one issue with Wordpress) or other "assets" brought into the page over HTTP. You might need to work with your web developer to get a "pure HTTPS" page.

What About Certificate Renewals?

We have a process that runs every night to take care of this. It checks the validity of all Let's Encrypt certificates, renews expired certificates, and attempts to issue new certificates for new subdomains. The process should be fully transparent and automated. Our customers should have SSL for life, which makes us very happy!