HTTPS for Free

You’re probably already using HTTPS (that’s SSL/TLS on HTTP – it encrypts people’s connection to your websites), but if you’re not you really should be. Google has announced that not using HTTPS will negatively affect your website’s ranking in Google – it only makes a small difference now but this will likely increase in the not-so-distant future.

Until fairly recently, it would cost you a chunk of money to get that pretty green padlock next to your web address in browsers, but today there are many cheap and free solutions. This means that everyone (even my mum) can have a secure website.

Free Certificates

The traditional way of getting TLS on your web server is to install a certificate which you request from an approved body. Companies like GoDaddy offer pretty cheap certificates in this way. Fairly recently, all the major browsers started supporting StartSSL as an approved certificate authority. This was big news as StartSSL issues free certificates. It’s not easy, mind, as detailed in this post by Eric Mill. I’ve also been informed that WoSign also offers free certificates but I haven’t tested this myself. Their website is also very slow to access from outside of China.

CloudFlare

If the above sounds like a few too many hoops to jump through, perhaps you should consider CloudFlare. CloudFlare are a DNS provider who also “wrap” your entire website in a CDN. Since users access your site via CloudFlare’s CDN servers and not by directly talking to yours, the certificate needs to be on their machines. Premium subscribers could always upload their TLS certificate (from a certificate authority) to CloudFlare, but since late 2014 CloudFlare has issued certificates for free. This means that once you’re set up on CloudFlare (which is really easy), there are no more hoops to jump through to enable HTTPS – just the click a button! It’s worth noting that these are SNI certificates – they have no bearing on a computer’s IP address like the traditional method but these days are very well supported. (CloudFlare calls TLS “SSL”, they’re two names for pretty much the same thing).

ACME/Let’s Encrypt

Although CloudFlare makes it really easy to set up HTTPS, it’s not always an option to use their services. Fortunately The Linux Foundation are working on a simple solution which auto renews certificates for you. It’s called Let’s Encrypt and it’s due to be released the week of 14th September 2015. They go into some detail about how it works here (and even more detail here) but it looks like they might only be releasing it for Linux – we might have to wait for a community solution for Windows servers.

Using HTTPS on your site

Azure Web Apps

Azure Web Apps come with certificates for *.azurewebsites.net, so no action needed if you don’t have a custom domain.
Custom domains can therefore use CloudFlare “Full SSL” (not “strict”).
You can also upload a certificate (included in the price) for Standard and Premium web apps or pay if you have a Basic one. No luck for Shared (and you can’t use custom domains on Free anyway).
If you have a Web Role, you may be able to set up Let’s Encrypt when it comes, but not on Web Apps – unless Microsoft implements it (fingers crossed!).

GitHub Pages

GitHub recently added HTTPS to their Pages product for *.github.io – so no work for y’all on github.io subdomains.
This of course means you can now use CloudFlare’s “Full SSL” (not “strict”) offering on GitHub Pages too.
You cannot upload custom certificates, however, and I doubt GitHub will integrate Let’s Encrypt due to the extra load it’d put on their servers – but we can dream!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s