Add SSL to Your Site, NOW

Is every web property that you own 100% HTTPS? Yeah? Ok, stop reading right now, this post isn’t going to help you at all.

Still here? Great. You need SSL everywhere. On your site that accepts credit card payments? Yeah, you should’ve been doing this for a long time. On your site that sends you to a third party to collect money for a good or service? Yeah, SSL would be great for that. On your personal blog? Yup, that two should be running on good ‘ol HTTPS. Everything, every last thing should be secure in today’s world.

Google Chrome and Firefox now put a big noticable warning in the address bar every time you see a login form or credit card form on an HTTP page. That makes sense; they don’t want you to get hacked or have your credit card info stolen, and it’s up to website owners to keep everything secure. Beyond that, it sounds like within the next 2 years or so all major browsers will mark all HTTP sites as “Not Secure”, login form or not. Secure your site now so you don’t have to worry about it later.

It’s Good for SEO

In 2014, Google said they’ll be boosting SEO rankings a bit for HTTPS sites. That alone should have you interested. I’m not an SEO expert, and I’m not positive that Google actually does what they said they’d do, or how much it affects things, but why not? A possible slight boost for minimal work is worth it, right?

It’s Free and Easy to Set Up

Most of the time, you can SSL your site for free. There’s generally two options there: CloudFlare or LetsEncrypt. CloudFlare will be easier to set up, but LetsEncrypt will be more flexible. CloudFlare basically takes over your DNS hosting, and routes your traffic through their servers, where they offer a ton of great caching and DDoS protection services. Best of all: they have a free plan that offers SSL. You just need to sign up for an account, they’ll scan your domain and pull in most of your DNS records automatically, then you switch the nameservers to them through your registrar. From there, make sure “Flexible” or “Full” SSL is turned on under the crypto tab. Flexible will downgrade the connections to HTTP before pushing them to your server, which is great if your host charges more for SSL, but it’s not actually secure. The NSA will still look at that traffic, but it’s generally good enough for a personal blog. Use Full SSL if your host allows SSL, and “Full (Strict)” if you’re comfortable putting the “Origin Certificate” on your server. Full won’t downgrade the connection to HTTPS, and strict will make sure the SSL cert on your server is legit, and not something self-signed or otherwise suspicious.

LetsEncrypt is what you’d want to use if transferring DNS hosting is not an option or if you want to automate things. If you’re using a web hosting company, LetsEncrypt probably isn’t going to be an option. You really need root access to a server and a bit of Linux know-how to set it up. There are a ton of tutorials on how to setup Certbot, so just Google “Setup certbot on {insert distribution and version here}”. With that said, every site that I host at my day job automatically gets it’s own free SSL certificate thanks to LetsEncrypt and some stuff I wrote for Puppet.

When It’s Not so Easy

There are some situations where setting up SSL is going to suck. It just is. But I’m still telling you that you should.

• If you have a bunch of subdomains, like a BUNCH, AND you want to use LetsEncrypt, it’s going to suck a bit. Generally, I’m looking at SaaS providers who have a url structure like customer1.example.com, customer2.example.com, etc. LetsEncrypt limits you to 20 domains or subdomains/week, which means that with some clever automation, you can maybe get up to 240 subdomains covered, but no more. At that point, I would look toward CloudFlare, since they do cover wildcards on their free plan.
• If you want an EV SSL certificate, it’s going to cost you a lot. There’s actually some human interactions there where they have a person verify that you are who you say you are, and that’s just going to cost money. If you want to use an EV SSL certificate with CloudFlare though, you’re probably going to need to be on their $200/month plan, so keep that in mind.
• If you have a bunch of hardcoded http:// links, it might take some work to get them changed. Generally speaking you can do a find and replace with a variety of different tools, so it shouldn’t be too bad, but it’s something worth considering.

Mixed Content Warnings

Many times after switching to SSL, you’ll get some mixed content warnings that typically manifest as static files not loading. In most browsers, you can hit Ctrl+Shift+I or Command+Option+I and it’ll bring up developer tools. Go to the console tab and it’ll tell you about each one. Search your code for http://yourdomain.com links and change them to https:// or just //, which will use whichever protocol is in use. It’s also a good idea you search/replace the DB as well. If you’re using PHP serialized string (really common in WordPress), check out searchreplacedb2 which will unserialize, replace, then reserialize.