Welcome to WebmasterWorld Guest from 54.91.16.95

Forum Moderators: open

Help me understand what i should do about SSL

     
7:24 pm on Sep 17, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:May 1, 2005
posts: 413
votes: 2


I'm pretty ignorant about ssl / security, have read a fair bit in the last few days but am still quite confused!

I have about 60 sites I run for small businesses (basically just one person businesses). They are only interested in ranking in local search. They are basically sites to advertise their services and consist of 8 -12 pages. They are not trying to sell online. Half the sites are wordpress, half html.The only thing that the public might do is fill in an enquiry form with name, email address, phone number and their enquiry. All are hosted on a reseller hosting account.

Up till now I've kept my head in the sand on the basis that these are not ecommerce sites.
However i now have two concerns -
- Firstly noises that non ssl sites may get lower rankings in serps. In reality I'm pretty sure that most of the direct competitors of these sites will not have ssl. What may happen is that the larger directories that also feature in the local results, dominate even more (if having a secure site really does affect ranking)
- Secondly if we start seeing messages saying "this site may not be secure" either in serps or in the browser bar when someone clicks through. - this is the frightening factor for me!

So what do i do?
1. Continue to bury my head in the sand
2. Go for the free self signed certificates that I can get through my webhost through cpanel (as i understand it this may still raise a warning but the visitor can accept the certificate - I'm not sure if that makes this option viable really)
3. Buy separate certificates for each domain
4. Buy a multidomain certificate

Bare in mind these are all low cost websites so the cost of SSL needs to be sensible
Also if it makes any difference 75% of the domains are held in my own domain registration account 25% were registered by the client. Of those in my account 50% are registered in my name 50% in the client's name.

Finally - when it comes to certificates there seems to be a bewildering variety of deals with 3rd parties seeming to sell for lower prices than the people issuing the certificates!
7:31 pm on Sept 17, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10393
votes: 597


2. Go for the free self signed certificates... You can always upgrade to a higher end cert later if you find it necessary.

Many of us use the free cert offered by Lets Encrypt [letsencrypt.org]
This cert works great and browsers show NO warnings.


What Will Happen if I Don't Switch to HTTPS? [webmasterworld.com]
8:04 pm on Sept 17, 2017 (gmt 0)

Full Member

Top Contributors Of The Month

joined:Apr 20, 2017
posts:297
votes: 55


Go for the free self signed certificates

May be I a wrong, but I think that web browsers are blocking the access to sites which are using "self-signed" certificates (since the certificate can't be trusted), and asking the user to "add an exception" to access it. Which in that case, is worse than the warning that the site is not served through TLS.

But there is certainly a module of Cpanel which allows you to generate a Let's Encrypt certificate, which is free.
8:40 pm on Sept 17, 2017 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:1592
votes: 225


Get your hosting provider to upgrade cPanel to include support for Let's Encrypt, if they don't already. Stay away from self-signed certificates, and I wouldn't bother paying for a simple certificate these days. With a cPanel plug-in you'll only have to switch SSL/TLS on once for each domain, and the renewals will happen automatically. Not sure how it works with cPanel, I've only seen it in Plesk. Whole thing won't cost you a penny.

The bigger issue that follows is moving all 60 sites over to the HTTPS version, making sure proper redirects are in place and all links and image, CSS and Javascript references are updated.

PS: 3rd party certificate sellers can often offer a better price because they buy in bulk from the certificate authorities, who also benefit by not having to deal with the customers directly. Still, free is the best price in this case :-)
1:23 am on Sept 18, 2017 (gmt 0)

Moderator from US 

WebmasterWorld Administrator keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:10393
votes: 597


I think that web browsers are blocking the access to sites which are using "self-signed" certificates
That was *more* true a year or so ago. While some self-signed certs still should be avoided, others work without issue. It depends on the cert and the host (how accounts are config'd on the server.) That's why I said the OP could try his host's free cert first, then if it caused any problem, upgrade to something else.

Some hosts are offering Let's Encrypt in their cPanels, other don't. Self install is always a choice, but some hosts aren't set up for it. Things like this really draw attention to how customer friendly your host is. The last several hosts I've done work at have all been up-to-date with secure content and supporting SNI.
8:38 am on Sept 18, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:May 1, 2005
posts: 413
votes: 2


Very good advice - thank you. Will contact webhost about letsencrypt
4:46 pm on Sept 27, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:May 1, 2005
posts: 413
votes: 2


So just to feed back. webhost doesn't do letsencrypt, but does do AutoSSL. So he's installed that for me and also provided his recommended 301 code to redirect to https.
Have 301d a few sites now and this is what i notice.
If i have a site that uses old adsense code or amazon code or old youtube embed code, I don't get the green padlock.
In firefox when clicking the info icon it tells me the site is secure but it's blocked some stuff (ads don't show up)
In other browsers it tells me site is secure but some items such as photos may not be secure.
This sounds scarier than the somewhat benign "this site does not provide a security certificate" that i was getting before!
Anyway i can get fresh secure code in those instances so it's no problem but thought I'd point it out for anyone else who comes upon this thread!

On another note - in terms of describing what https does would it be fair to use this crude analogy?: It's not putting an extra lock on your front door (there's other stuff for that), it's about making sure people can't tap into your phone conversations.
5:01 pm on Sept 27, 2017 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:14374
votes: 565


If i have a site that uses old adsense code or amazon code or old youtube embed code, I don't get the green padlock.
The key word here is old. AdSense, amazon, youtube are all https now, so you need to update all links--manually if necessary.
6:37 pm on Sept 27, 2017 (gmt 0)

Preferred Member

10+ Year Member Top Contributors Of The Month

joined:May 1, 2005
posts: 413
votes: 2


Yes that's right
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members