Sadly medical data has been nonsecure from the start & remains that way.

Aside - my local med facility sent me an email a while back stating how thrilled they were to tell me that all my med history is now online and I can access it with their new shiny app! Of course I immediately called them making sure they removed my sensitive data from the internet & told them I didn't want their app.

I try my best to get all I deal with to adopt SSL but with much resistance. People don't like change & most just blame Google.

goodroi .... those sites: did they collect patient data, or merely provide a location, office hours, the ordinary info anyone would be looking for?

Given the heartbreak and regulations most in the health care industry deal with every day, I can see why they might not invest in place holder announcement location when the rest is eating their time, much less their lunch.

That said, https is the next wave. Yes, right now free certs are available (the old bait and switch to create a saturation point before going cost/required) but there still remains a yuge number of websites that will NOT benefit from https, no way, no how.

Unless the SERPS require it. And at that point g and the rest are throttling competition ... but that's another thread for another day.

right now free certs are available (the old bait and switch to create a saturation point before going cost/required

No, that's an unwarranted assumption & there's absolutely no evidence of that anywhere. I'm installing certs from a number of sources and the free certs are solid.

Didn't say they didn't work, keyplyr. I've just been around long enough to look the gift horse in the mouth. Twice.

I remember those "Do No Evil" guys. :)

(and no, I am not equating certs to g so skip that reply!)

I remember those "Do No Evil" guys. :)
(and no, I am not equating certs to g so skip that reply!)

Well obviously you are, but that's beside the point.

There is no "bait and switch" with Security Certificates and saying that is a false statement which only adds to the tentative attitudes of many who are nervous about switching to HTTPS protocol.

Medical websites should be one of the communities that is eager to protect sensitive information by switching to HTTPS and it's alarming that they aren't.

HTTPS is one thing, I bet that we would be horrified to know how these sites are being maintained and protected from intrusion for example.

@tangor It is hard to give a simple answer when trying to summarize over 3500 different sites. These were mostly fully built sites with many pages. Some were "business card" type sites with minimal information/functionality. Most had contact forms for patients to complete. At the very least I suspect they are receiving new patient info from these forms.

Switching to https would be smart for patient privacy issues, better chance to attract link partners in this industry, and I suspect Google will eventually increase the ranking benefit for https.

If actual patient info (and a contact form would fall into that) is being collected, then HTTPS is the best method.

keyplry, you give things away to develop a desire/need and when a saturation point is achieve, you start charging for what was "free". It's the nature of the beast. HTTPS certs have value, after all, SOMEONE has to maintain them and that has a cost.

tingor, it's not that I don't understand your conspiracy concept, it's just not true.

An SSL certificate is a bit of code on your web server that provides security for online communications. There are thousands of web hosts, all offering various SSL certs.

There is no conspiracy to "bait and switch" and saying so without proof is irresponsible, especially coming from someone who seemingly keeps up with the latest facts.

On the other hand, if you can provide evidence of widespread fraud concerning SSL certs, that's a different story.

Slightly larger surveys than 3500 websites:

"From a recent web usage survey, approximately 4.33% of .COM websites redirect to a HTTPS variant. The percentage for .NET is lower at 2.48%. The .ORG is slightly better at 2.78%. The .BIZ gTLD is at 1.01% and .INFO gTLD is at 0.86%. On the ccTLD side of the surveys, the .EU was at 1.19%, the .UK ccTLD was at 2.51%, the .DE ccTLD was at 2.99%, the .FR ccTLD was at 2.50%, the .ES ccTLD was at 2.74% and the .US ccTLD was at 0.787%.

The percentage on non-IDN new gTLDs was 0.577%."

Regards...jmcc

An SSL certificate is a bit of code on your web server that provides security for online communications. There are thousands of web hosts, all offering various SSL certs.

If there were no other considerations (ie, free as you proclaim) then every host or shared server would be passing these out with every account.

That ain't happening.

TANSTAAFL.

Somebody, somewhere, is eating the cost of these free certs at the moment. That "strip of code" has to go to something that certifies the HTTPS. That's a value thing, and things are not (in my general experience) given away for free unless there is something in for the giver down the line.

One of the major Free SSL Cetificate suppliers is Let's Encrypt:

Let's Encrypt is a certificate authority that launched on April 12, 2016 that provides free X.509 certificates for Transport Layer Security encryption via an automated process designed to eliminate the current complex process of manual creation, validation, signing, installation, and renewal of certificates for secure websites... Funded through sponsors like Mozilla, Facebook, Cisco, Chrome, OVH, etc and ongoing Crowdfunding Campaigns and Individual Donations.

source: [letsencrypt.org...]

It is now a competitive thing among web hosts. Most allow cert installation by the account holder so the free certs can be used. Many others (2 of my hosts) have set up automatic installation & updating of Let's Encrypt. Other hosts offer 1 year free cert (their own as GoDaddy does, or some 3rd party cert) then after 1 year it's billed at normal rate, usually $8 to $15 per year however many of these hosts also allow the free certs to be used.

Hope this helps.

it's billed at normal rate

As a confirmation the theory is not a conspiracy, it does. :)

No, that has nothing to do with your free certs "bait & switch" conspiracy theory.

Those are *other* certs (not the free Let's Encrypt) that some hosts offer free for a year as a newcomer deal. This has been going on for years. Many hosts do this with many different products. Totally unrelated.

Provide us with proof there is fraud in the Security Certifications market to prove you claim. Which free certs have you seen "bait and switch" users to pay? Name them and include links to backup your claim.

Otherwise let's move on :)

I surrender. You win. Free Certs are not Bait and Switch (to build up a clientele). It appears there's no way to convince you that providing free now will not become REQUIRED at an undetermined date.

After all, Bell (putting free phones in general stores across the nation, one store at a time) didn't build a need, the infrastructure, then eventually force the public to pay and pay and pay.

You got me. Free certs for HTTPS will be forever. All web hosts will provide them (since the webmasters can't create them themselves other than plugging in some code, and that's what creates the cert).

You're right. All the above. (Which I've allowed all along).

usually $8 to $15 per year

Yes sir. I guess I got it wrong.

As an aside, at which point will Let's Encrypt certs not be sufficient for the cert market? Just asking.

And this is most serious when I ask this (no leg pulling, no humor), what validates Let's Encrypt compared to the paid services which, arguably, are established entities. How does that jive --- free v paid? Which is better and WHY?

As I see this, in the future (which some neglected to do back when g was a dream) the web changes, standards are asserted over time, and what once was "free" (it has never been free, somebody paid somewhere from the user to the backbone).

The standard under discussion is HTTPS, an encrypted web protocol.

The current web is NOT encrypted.

How do you get from point a to point b?

Give it away (that's the bait and switch in my argument) until there are more at point b than a, at which time it will me made mandatory (if you want to play at point b) to be encrypted (https)

Certification will change many things .... among which will be deeper knowledge of WHO is running websites, etc.

This is a big move. An important move. One I marginally agree with as it will help make the web both safer and less noisy.

What I see, in future, will be host being accountable for their accounts (webmasters) to provide certs which go a long way to keeping things a bit less chaotic. I also see it as yet another invasion into eventual regulation. Again, WAY down the road, but coming (it always does, human nature, look at the last 3,000 years)

I tend to be light hearted, but I am always sincere.

You need a cert to be HTTPS

You can get something for free (at the moment) to play the game.

But the gift horse should be examined as FREE is NEVER free, and that part of opposing arguments just won't wash.

Yet, if not for the free certs the web won't move and there in lies the rub.

Free always works. What that work ends up providing is the conumdrum.

What level of cipher encryption is "free" and what is required for most banks? One of the wonders.

SSL has so many layers it boggles the mind.

The free cert gets you in the door, but it might not close the deal.

Hate to belabor this, kiddies, but doctor websites only 5% HTTPS begs the question, as well as all the ecommerce sites and PII and man in the middle.

What do you get for free? 96bits? 256? Ha, ha.

Give me some of that old time 2048.

I won't say what said above but will remark that a horse will switch its tail to get rid of flies .... The move to HTTPS is given. We will ALL do this at some time.

Eventually it will have a cost of operations as a THIRD PARTY is involved.

What that cost will be is TBD.

What is really at stake is interaction on the web that users AND health patients, can depend on.

It is now a competitive thing among web hosts. Most allow cert installation by the account holder so the free certs can be used.

No. This is not supported by the data. Unlike Goodroi's survey, the data that I posted is from surveys covering tens of millions of websites.

Most large hosters and registars, especially the retail facing ones, tend to view SSL certs as a money-making add-on service. The uptake of HTTPS is far lower than the fanboys in the SEO business would have us all believe and the majority of sites that I surveyed in the gTLDs and ccTLDs are not HTTPS by default. Where they are HTTPS by default, there will generally be a redirect to the HTTPS version of the site. The figures that I posted are those redirects.

There is a rise in new sites being HTTPS by default but it is nothing close to HTTPS everywhere. Free doesn't matter when there's a cost for implementing it.

Regards...jmcc

jmccormac, your quoted survey has nothing to do with hosting companies allowing account holders to install certs. True, not many site owners do yet... but the hosting companies allow it. You may have misunderstood what I wrote.

I shop around for hosting companies all the time for clients, and many, if not most, offer the option to bring your own cert.

[edited by: keyplyr at 6:01 am (utc) on May 24, 2017]

The problem, Keyplyr, is that the majority of website owners still treat their sites like brochureware and rely on their webmasters or hosters for add-on services like certs. On some of the long running monthly surveys, I see sites that have no changes over the course of a year. It can vary but in some categories, it can be about 24% of sites. My quoted survey is actual survey data across over 1200 TLDs including the two largest ccTLDs (DE and UK). There is an increase in new sites redirecting to the HTTPS version. If you look at this as a webdeveloper or SEO, then HTTPS makes sense and is easy to implement. If you look at this as an ordinary website owner, the response is more likely to be "what's HTTPS and how much will it cost?".

Regards...jmcc

Oh, I'm in agreement with all that :)

It would be interesting to see the country by country breakdowns on Let's Encrypt certs. I ran a cert survey a few years ago and it might be interesting to see how things had changed. As some of the legacy TLD samples were broken down by full zone, last year and new registrations, it was possible to see the increase in HTTPS sites in newer sites. The problem is that renewal rates on some of those TLDs are falling so some of those sites will drop when the domain name comes up for renewal. I already know from surveys that domain names with developed websites are more likely to renew. It could be interesting to do some historical analysis across older surveys to see if having a cert is an indication of higher renewal rates.

Regards...jmcc

It could be interesting to do some historical analysis across older surveys to see if having a cert is an indication of higher renewal rates

I would assume so. Installing a cert and upgrading to HTTPS shows the site is actively managed and an interest in keeping up to date with web standards and safety for the user.