On February 8, I had someone ask me about SSL site security, so I did a bit of research over the past few days on this topic.
We all know that SSL website encryption is absolutely necessary for anyone wanting to have online commerce, or sites that collect any kind of sensitive information. It’s used for banking, healthcare, and many government services websites. But what about the average person with a blog, or an informational news site? Such sites typically have not had SSL because it was considered unnecessary.
In my own web design work for clients, and with the ResourcesForLife.com site established back in the 1990s, I’ve not had a need for SSL encryption. For online commerce, I’ve always directed people to use secure PayPal, eBay, Square, and Amazon payment processing, online stores, and shopping cart services. For medical offices, I’ve encouraged people to use turnkey HIPAA approved solutions.
My sites and those I work with don’t collect financial or healthcare information. So there’s never been a pressing need for SSL security. Sites hosted with WordPress.com automatically include SSL encryption, but for self hosted sites it’s an additional expense.
So, over the past few days I’ve wanted to revisit and research the use of SSL for non-sensivie websites.
In summary, it’s my view that SSL offers sufficient benefits for all site owners. Given that there’s little or no cost for SSL, it should be used by everyone. We now have SSL implemented on the ResourcesForLife.com website.
Three Benefits to SSL
Other than being necessary for commerce and healthcare, there are three primary benefits to using SSL encryption:
- Privacy. People would like their Internet browsing and content to be private. SSL allows for this.
- Security. Having a secure encrypted verified connection with our site helps prevent ‘man in the middle attacks’ where stealth site redirection might mimic a website and serve up malicious code.
- Visibility. Starting in 2014, Google began making SSL security a priority and they rank secure sites higher than non secure sites.
Here are some helpful resources for those wanting to learn more.
- DreamHost.com SSL – Free SSL site encryption is available for all DreamHost hosting packages.
- GoDaddy.com SSL – Information about SSL products and pricing from GoDaddy.
- iPower.com SSL – Information about SSL products and pricing from iPower.
- Let’s Encrypt – Free open source SSL Certificate Authority.
- NetworkSolutions.com SSL – Information about SSL products and pricing from NetworkSolutions.
- WhyNoPadlock.com – If you have SSL, but are not seeing the padlock icon for your site, this online site scanner can help identify what content is causing the lock not to appear.
So, here’s some of the back story to share what I went through this past week enabling SSL for the ResourcesForLife.com website.
I figured the best way to learn about the process would be to implement SSL on my own site and then make an evaluation of the cost, installation, and management issues. The cost was about $50 per year for the basic level of SSL security.
Because most of my website customers are looking for the lowest possible setup and ongoing hosting expenses, I’ve been hesitant about suggesting SSL in the past unless absolutely necessary.
Once you setup a site with SSL, over time, there will be links to your site using the https:// prefix, and this will result in some errors or security alerts if at some point you no longer offer SSL to your site visitors. So, it’s kind of a permanent decision.
Seeing that some SSL services can cost as much as $400 to $500 per year, and being concerned about no industry regulations, I didn’t want to get locked into an ongoing expense that would be increasing from one year to the next like cable TV, mobile phones, or Epipens that seem to skyrocket in cost overnight without any good reason.
As I looked into it, my initial reaction was not enthusiastic. I figured the time, cost, and complexity just wasn’t worth it. I had some problems with the implementation that resulted in paying for SSL services, having them installed, but having it not actually work.
So, I quickly cancelled the SSL on my site — worried that soon Facebook links, search engines, and others linking to my site would automatically use the https:// which eventually would result in security warnings and causing people to avoid my site — since the https:// pages would no longer exist.
The problem I ran into was that despite having paid for SSL security, my site was still identified as insecure.
Chrome and Mozilla had very scary warnings about site visitors being possibly deceived and shown corrupted hijacked images. It seemed I might have to pay $200 per year for the ‘deluxe’ SSL service. I really was at a loss to know what was going on. This all was starting to seem like some kind of extortion and graft where the overall cost of simply having a website would soon have this unnecessary tacked on fee of $50 to $500 per year — “…if you want protection.”
Even after cancelling my SSL and being issued a refund, the SSL wouldn’t go away! The site would still load as https:// even after clearing my cache, even using other browsers on other computers, and the certificate still showed as not expiring until 2019.
So, given that the SSL remained, I continued exploring why it might be that my site, despite having SSL, was being flagged as not secure.
I was VERY surprised to discover that some of my site pages actually had the lock showing up, such as:
So, there was a mystery as to why this would be. I presumed that once a site was secure, the entire site would be secure — like a banking website.
I began removing widgets and content from my pages to see if something in the page content was causing the issue.
I wrote two of my hosting companies to inquire about this, but they didn’t help. I wrote the theme development company I work with. They had no answer.
Eventually I found this website:
That free site scanning service identified that my site logo and favicon.ico file were hard coded as http:// as well as a widget image. Once these three items were fixed, the site was okay.
All the other navigation, permalinks, and image files on the site were automatically updated to https:// dynamically by WordPress.
Anyway, it was a bit of a bumpy road initially which had me concerned about suggesting SSL to friends, family, and customers.
Now that I’m more familiar with the process I’m more confident about suggesting it.
- 14 February 2017. A few days after enabling SSL on my website, Google began a massive deep-scan and re-indexing of the entire site. This resulted in my website statistics showing over 4,000 visitors in just a few hours. Reviewing the site statistics, I saw hundreds of different IP addresses as the sources of what were identified as Google Bot scanners. Initially I wasn’t sure what was going on, but it seems most likely that the site change to https:// caused all site pages and links to need reindexing.