BIG Mike

Free SSL Certificates

19 posts in this topic

Although I've known about this for a while, I've just finally gotten around to testing it - Free SSL Certificates from https://letsencrypt.org/

If you have an updated version of cPanel, you can install them with a couple of mouse clicks and they'll renew themselves automatically. I tried this on one of my servers with cPanel and it was a painless installation. 

If you're using SSH, you can install CertBot https://certbot.eff.org/ - a bit more complicated installation, but I tested it this way as well on several nginx virtual servers and didn't have any problems. 

Personally, I think it's a good reason to use SSL on all your sites, just to make things more secure. If anyone decided to use them and needs technical help, let me know...

 

Share this post


Link to post
Share on other sites

thanks for the tip.

one of my hosts is on the list of supporters, switched one of my spare domains, took about a 1 minute and all good.

are these certs sufficient for any type of site? i may be asking this incorrectly, but i was looking at the notes in my host and it was talking about how the free ssl was good for like blogs and simple sites. are they just trying to upsell, or would i need something better than free if i was running some big ecommerce site for example (im not)

oh, lets say i had an established site, would the switch to https in this manner cause problems generally? i think i remember seeing people gripe about how much of a pain in the ass it is to move to https.

thanks again

 

 

 

Khemosabi likes this

Share this post


Link to post
Share on other sites
12 hours ago, gnojham said:

are these certs sufficient for any type of site? i may be asking this incorrectly, but i was looking at the notes in my host and it was talking about how the free ssl was good for like blogs and simple sites. are they just trying to upsell, or would i need something better than free if i was running some big ecommerce site for example (im not)

These are good for any type of site, despite what your host might be saying ;)

For eCommerce, there are two issues - the first is whether or not your site is PCI compliant (if you're using your own merchant account) and second, a "Trust" issue. As far as I've been able to determine, LetsEncrypt is PCI compliant, mainly because there's no difference in encryption between an EV (extended Validation) Certificate and LetsEncrypt. 

The real difference between them is that the site/domain owner has to be vetted to get an EV Certificate (what your host upsells) and this is intended to provide the "Trust" factor that DV (Domain Validated) and OV (Organization Validated) certificates don't provide. 

That said, if I were running a large eCommerce site like PayPal or Amazon, then yes, I'd purchase an EV Certificate as opposed to a free one. If I've just got a few small sites that I'm selling products on, I'd stick with the free one, at least until my sales volume could justify an EV Certificate. 

13 hours ago, gnojham said:

oh, lets say i had an established site, would the switch to https in this manner cause problems generally? i think i remember seeing people gripe about how much of a pain in the ass it is to move to https.

I'm not sure why people gripe about it as it's not overly complicated. First, you install the certificate so that using https works on the site - that's pretty much a no brainer as you already figured out. 

The second issue is re-configuring your site to automatically and permanently redirect visitors coning in on http to https. Depending on your server, this can be done in .htaccess, an nginx configuration file or even in PHP if you have to.

Your site might take a hit in SERPS temporarily, but as long as you're using a 301 redirect, that'll sort itself out.  

Mike Friedman and Khemosabi like this

Share this post


Link to post
Share on other sites

Along with the 301 redirect what else would you suggest?

Just for the sake of "best practices"...

Would it be a good idea to manually change your website url in your social media accounts?

Your affiliate accounts like CJ, Amazon and such?

Change backlinks that I have the ability to edit?

I have thought about "adding the "s" for awhile now.  In the past 301 redirects have always seemed to work for me as intended.  I just get nervous and have always suspected that from a clean running site perspective that "the fewer 301 redirects taking place the better."  Maybe I am overthinking it.

Khemosabi likes this

Share this post


Link to post
Share on other sites

Just did mine for my wordpress membership site using Lets Encrypt, it was quite straightforward, and I was done in less than 5 minutes.

My host said they don't support free SSL (Lets Encrypt and co), and have no plans of doing so, (they wanted me to purchase one), but I found a workaround for that using sslforfree.com,  and had my https running flawlessly in less than 5 minutes.

I think people are just scared of rocking the boat...it can actually rock the boat if not very well done...from what I saw in my research before going ahead with it.

The other thing people should know is that your social likes and shares are probably going to disappear from your site once you switch to SSL, and its important to know that upfront rather than be taken unawares. But i think there is a workaround for that now, saw something like that on some sites, though didn't bother to research it since I didn't have those likes and shares thngy on my site in the first place.

 

Mike Friedman likes this

Share this post


Link to post
Share on other sites
6 hours ago, Janice Sperry said:

Along with the 301 redirect what else would you suggest?

Just for the sake of "best practices"...

Would it be a good idea to manually change your website url in your social media accounts?

Your affiliate accounts like CJ, Amazon and such?

Change backlinks that I have the ability to edit?

I have thought about "adding the "s" for awhile now.  In the past 301 redirects have always seemed to work for me as intended.  I just get nervous and have always suspected that from a clean running site perspective that "the fewer 301 redirects taking place the better."  Maybe I am overthinking it.

From what I saw in my research before I installed mine, most people recommend doing all that for the sake of 'best practices', after setting up your 301 redirects.

They mostly advocate changing all your internal links, and the external links you can control, viz- updating the links on your social media pages, your email marketing program (eg Aweber and Getrresponse), and other third party marketing programs, your PPC ads, your Google Analytics and Google Webmaster Tools (now Google Search Console).

Funny enough, most people did not state any particular reason why they wanted people to go through the hassle of changing all that, except just saying that it was in line with 'best practices' currently.

Personally, I didn't do all that. I just installed my plugin for the redirects (Really Simple SSL), updated my Google Analytics and my Facebook ad, (not very sure if my email autoresponder was updated as well), and that was all.

Share this post


Link to post
Share on other sites
On 5/10/2017 at 8:49 PM, gnojham said:

oh, lets say i had an established site, would the switch to https in this manner cause problems generally? i think i remember seeing people gripe about how much of a pain in the ass it is to move to https.

thanks again

 

 

 

Most people gripe about the loss of social signals on their site (likes and shares), which I think can be recovered to some extent nowadays........and the drop in rankings some sites experience, though I heard that's mainly transient.

And then the amount of work it takes for them to convert their sites if they have a large site.

 

I think the concerns are mostly valid, but I also think that for sites selling anything or even collecting emails n stuff, the move to https is almost inevitable going by the way Google and the net is going.

So the earlier they go through with it and weather any pains that might come with it, the better for them.

Mike Friedman likes this

Share this post


Link to post
Share on other sites

It is always better to go with a free or cheap SSL when the website is still small and growing. In the future, as your site grows, if there is a need, you can always get a paid one. The url remains the same. In this way you dont lose any rankings by later moving to HTTPS. It is always better to have SSL right from the beginning even if it is a free one.

Mike Friedman likes this

Share this post


Link to post
Share on other sites
13 hours ago, Janice Sperry said:

Along with the 301 redirect what else would you suggest?

Just for the sake of "best practices"...

Would it be a good idea to manually change your website url in your social media accounts?

Your affiliate accounts like CJ, Amazon and such?

Change backlinks that I have the ability to edit?

I have thought about "adding the "s" for awhile now.  In the past 301 redirects have always seemed to work for me as intended.  I just get nervous and have always suspected that from a clean running site perspective that "the fewer 301 redirects taking place the better."  Maybe I am overthinking it.

 

3 hours ago, Mindsnoop Marketing said:

It is always better to go with a free or cheap SSL when the website is still small and growing. In the future, as your site grows, if there is a need, you can always get a paid one. The url remains the same. In this way you dont lose any rankings by later moving to HTTPS. It is always better to have SSL right from the beginning even if it is a free one.

 

Rather than change URL's everywhere (that's really labor intensive), there's a better way using mod rewrite to process the incoming request and redirect it with a 301 "moved Permanently" type of redirect. This not only gets search engines to update their data but also passes along your link juice (or most of it). 

Here's an article that explains it in more detail:

https://moz.com/learn/seo/redirection

For any new links, yes, use https, but for older sites, a 301 is a perfectly legitimate and expected mechanism for making changes like this. The whole purpose of a 301 is so that website owners don't have to go back and change every existing page. 

Share this post


Link to post
Share on other sites
4 hours ago, BIG Mike said:

Rather than change URL's everywhere (that's really labor intensive), there's a better way using mod rewrite to process the incoming request and redirect it with a 301 "moved Permanently" type of redirect. This not only gets search engines to update their data but also passes along your link juice (or most of it). 

Here's an article that explains it in more detail:

https://moz.com/learn/seo/redirection

For any new links, yes, use https, but for older sites, a 301 is a perfectly legitimate and expected mechanism for making changes like this. The whole purpose of a 301 is so that website owners don't have to go back and change every existing page. 

There was a time when it was widely believed, and backed up by some testing, that 301 redirects did not pass all of a page's authority. Most people said they passed along 80% of the linkjuice, page authority, etc. How they could quantify that number was always a mystery to me. In my opinion, they pulled it out of their ass.

That being said, tests did seem to show that not all of the authority was passed on.

More recently though, it seems that has changed. I have helped a few people with redesigns and migrations from one domain to another in the past year. None of them lost a bit of rankings through 301 redirects. Some had an initial loss when we did the changeover, but they all recovered and went right back to where they were.

Google's guide to changing URLs still recommends changing links you can control (last time I checked), which is probably why people still suggest doing that.

Share this post


Link to post
Share on other sites

I've not made the leap either.

Won't we need to change image URLs in each post, too?

Also, how is the speed difference? Would it be better to use https on login pages or pages that collect information only to avoid speed issues?

Mark

Share this post


Link to post
Share on other sites
4 hours ago, Mark Singletary said:

Won't we need to change image URLs in each post, too?

If you do a 301 redirect from http to https, you won't need to. 

4 hours ago, Mark Singletary said:

Also, how is the speed difference?

While there is some measurable latency, it's not perceivable, at least to me. It would probably be more noticeable on shared hosting, but even then, the latency is minimal (unless it's a really slow server). 

4 hours ago, Mark Singletary said:

Would it be better to use https on login pages or pages that collect information only to avoid speed issues?

My first impression on reading that sentence was that it raises a huge trust issue - when you log into a site using SSL, you expect that the entire site is secure, unless the site specifically informs you you're leaving a secure section of the site to a non-SSL page (I've seen this in the past). 

Given that speed really isn't an issue, I wouldn't recommend doing that. 

Mike Friedman likes this

Share this post


Link to post
Share on other sites

Https can't save you from someone determined to get data.

All someone has to do is an ARP spoof to redirect traffic then a SSLstrip to switch traffic back to http, capture the data (ex: login info.) with a man in the middle.

The average person will never know they've been redirected and then redirected a second time back to the legit site as http.

 

Share this post


Link to post
Share on other sites
4 hours ago, yukon said:

Https can't save you from someone determined to get data.

All someone has to do is an ARP spoof to redirect traffic then a SSLstrip to switch traffic back to http, capture the data (ex: login info.) with a man in the middle.

The average person will never know they've been redirected and then redirected a second time back to the legit site as http.

 

You make that sound easy - but in reality, they need access to the Local Area Network (LAN) or WIFI to do this. To be clear, this type of exploit is on the user's end, not the server. 

I agree with you that SSL or not, there is always a risk of being hacked, but SSL significantly reduces the riskof the current session being manipulated, especially if the CA is doing validated lookups on DNS. 

Khemosabi likes this

Share this post


Link to post
Share on other sites
9 hours ago, BIG Mike said:

You make that sound easy - but in reality, they need access to the Local Area Network (LAN) or WIFI to do this. To be clear, this type of exploit is on the user's end, not the server. 

 

You're greatly underestimating the web. 

Wordpress alone is roughly 25% of the web, it's safe to say another 50% of the web has installed an open source vulnerability of some kind.

There's always a weak link in every network. Always.

 

Share this post


Link to post
Share on other sites
3 hours ago, yukon said:

You're greatly underestimating the web. 

Wordpress alone is roughly 25% of the web, it's safe to say another 50% of the web has installed an open source vulnerability of some kind.

There's always a weak link in every network. Always.

Nah, I'm not underestimating it and I'm not disagreeing with you either. In fact, your last comment is probably the best argument for using SSL - it's one more layer of security, one of many that should be implemented and probably doesn't happen, due to inexperience or poor hosting. 

Just because the risk is so widespread, doesn't mean folks shouldn't bother taking every possible precaution to mitigate as much of the risk as possible. 

Khemosabi likes this

Share this post


Link to post
Share on other sites
16 minutes ago, BIG Mike said:

Nah, I'm not underestimating it and I'm not disagreeing with you either. In fact, your last comment is probably the best argument for using SSL - it's one more layer of security, one of many that should be implemented and probably doesn't happen, due to inexperience or poor hosting. 

Just because the risk is so widespread, doesn't mean folks shouldn't bother taking every possible precaution to mitigate as much of the risk as possible. 

 

 

Most sites don't need SSL.

...and then you have the average webmaster that installs a vulnerable plugin/theme. In reality the webmaster usually self inflicts most of their problems.

...and then you have inexperienced webmasters reading blogs/forums that say everyone has to have SSL so they run out, try to update and end up killing their traffic sources in the process from broken URLs.

Share this post


Link to post
Share on other sites
8 hours ago, yukon said:

Most sites don't need SSL.

...and then you have the average webmaster that installs a vulnerable plugin/theme. In reality the webmaster usually self inflicts most of their problems.

...and then you have inexperienced webmasters reading blogs/forums that say everyone has to have SSL so they run out, try to update and end up killing their traffic sources in the process from broken URLs.

Again, for the most part, I'm not disagreeing with what you're saying - inexperienced webmasters are clearly their own worst enemy.  But...none of that makes SSL a bad thing - and while it's not always necessary, with the prevalence of WiFi these days, it's safer for your users if you require any kind of login to your site. 

From a marketing perspective, it's also another point for credibility and a lightweight ranking signal. Given that it's free via CA's like LetsEncrypt, it almost doesn't make sense to not do it, especially for all the other reasons you mentioned :D

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.