HTTPS vs HTTP for website

boliston · 30 Apr 2016

I have noticed that more and more sites are now https as opposed to just http and it looks like google seem to favour this type of site in terms of ranking
https://security.googleblog.com/2014/08/https-as-ranking-signal_6.html
I must admit I cannot see any reason for a site NOT to be https but is it easy to make a wordpress site https instead of plaintext http?

neil_g · 30 Apr 2016

Https is generally only needed during a checkout process or transmitting secure data. For a bog standard WordPress site it wouldn't be necessary.

neil_g · 30 Apr 2016

Reading that article I think maybe its a little misleading? I can't think why they'd want normal sites to use https, unless they mean those shop sites using it correctly will be ranked preferentially.

If you really wanted to make your entire site https (which is pretty pointless unless it needs encrypted traffic I.e. shop transactions) your webserver will need a SSL certificate purchasing and installing to it.

EightBitTony · 30 Apr 2016

neil_g said:
Reading that article I think maybe its a little misleading? I can't think why they'd want normal sites to use https, unless they mean those shop sites using it correctly will be ranked preferentially.

If you really wanted to make your entire site https (which is pretty pointless unless it needs encrypted traffic I.e. shop transactions) your webserver will need a SSL certificate purchasing and installing to it.

You no longer need to purchase an SSL certificate. You need one, but you can get them free from Let's Encrypt. https://letsencrypt.org/

It's a large group of people and organisations working towards free SSL encryption - it's automated. The only downside is you need to renew the certificates regularly (to prevent a proliferation of very long lasting but unused certificates).

As for the argument about non-SSL vs SSL - I believe we should drop non-SSL traffic entirely and move the entire web to SSL (technically, TLS). There's far too much information exposed by web pages that can be used for evil by anyone who can intercept it, and I'd rather all sites were SSL by default.

If you google for Let's Encrypt Wordpress there are plenty of tutorials, but it does depend on your hosting provider's features.

Dale_tem · 30 Apr 2016

EightBitTony said:
You no longer need to purchase an SSL certificate. You need one, but you can get them free from Let's Encrypt. https://letsencrypt.org/

It's a large group of people and organisations working towards free SSL encryption - it's automated. The only downside is you need to renew the certificates regularly (to prevent a proliferation of very long lasting but unused certificates).

As for the argument about non-SSL vs SSL - I believe we should drop non-SSL traffic entirely and move the entire web to SSL (technically, TLS). There's far too much information exposed by web pages that can be used for evil by anyone who can intercept it, and I'd rather all sites were SSL by default.

If you google for Let's Encrypt Wordpress there are plenty of tutorials, but it does depend on your hosting provider's features.

What checks do lets encrypt do?

afasoas · 1 May 2016

Lets Encrypt will, at least if you are running fairly bog standard Apache, automatically renew certs. I don't think there are any background checks so it says nothing about authenticity..

There are drawbacks to encrypting everything - say for example you want to run intrusion detection software on a Firewall that actively inspects http traffic in order to disrupt known harmful payloads, TLS encryption makes it a helluva lot more complicated. Still, any site with a webform on it should use TLS IMHO. Not SSL as it's exploitable and no longer supported by latest versions of many popular browsers.

EightBitTony · 1 May 2016

Dale_tem said:
What checks do lets encrypt do?

They don't do any checks. Let's Encrypt is about encrypting traffic on the web, rather than proving identity, so your browser will trust the certificate, but people won't see the little green thing in the bar which implies 'someone sent us some letter headed paper to get this certificate'.

neil_g · 1 May 2016

Doesn't that make a mokery of the process of proving where traffic has come from? Being able to generate a cert (TLS not SSL like I said earlier, habit) with no checks seems counter productive and a little dangerous.

And as above it's going to be a pain running any sort of corporate firewall/web filter. Especially the ones that for some bizarre reason you can't have transparent https inspection turned on as it breaks Skype for Mac

Dale_tem · 1 May 2016

EightBitTony said:
They don't do any checks. Let's Encrypt is about encrypting traffic on the web, rather than proving identity, so your browser will trust the certificate, but people won't see the little green thing in the bar which implies 'someone sent us some letter headed paper to get this certificate'.

It isn't letterhead that does it. It is more thorough than that, the premium Cerys I believe can include a visit to your premises. I personally would not use them.

How does Google feel about them? They block and tell you self signed is not secure in Chrome, you have to click on advanced to get access. They also block various Java things they feel are unsecure, so it wouldn't surprise me if they block certificates with no checking or restrict their usage.

mr.si · 1 May 2016

neil_g said:
Doesn't that make a mokery of the process of proving where traffic has come from? Being able to generate a cert (TLS not SSL like I said earlier, habit) with no checks seems counter productive and a little dangerous.

^^^ This exactly. ^^^

EightBitTony · 2 May 2016

Dale_tem said:
It isn't letterhead that does it. It is more thorough than that, the premium Cerys I believe can include a visit to your premises. I personally would not use them.

How does Google feel about them? They block and tell you self signed is not secure in Chrome, you have to click on advanced to get access. They also block various Java things they feel are unsecure, so it wouldn't surprise me if they block certificates with no checking or restrict their usage.

They're not self signed certs. Have a read of the site, see who they're supported by. Their CA is included in all modern browsers. There are two purposes for certificates, to encrypt traffic and to prove identity. Most small websites never had to provide any proof of who they were to get a certificate, they just had to pay. Now they can encrypt traffic for free.

Dale_tem · 2 May 2016

EightBitTony said:
They're not self signed certs. Have a read of the site, see who they're supported by. Their CA is included in all modern browsers. There are two purposes for certificates, to encrypt traffic and to prove identity. Most small websites never had to provide any proof of who they were to get a certificate, they just had to pay. Now they can encrypt traffic for free.

I know they are not self signed, But do consumers/users understand this? Is it misleading?

mused · 2 May 2016

yes its quit easy to have https , infact now wordpress offers free https Website hosting , you got to read : https://blog.webhost.uk.net/wordpress-adds-ssl-https-to-all-subdomain-wordpress-com-hosting.html

ecoleman · 2 May 2016

You get different types of SSL certificate. The one that turns your address bar green is a EV Premium SSL and you need to go through identity checks to get one of these. It's also not possible to get one unless you are a Limited company (the last time I enquired)

We have a standard SSL certificate on our online store which encrypts the data. We've never had any confused customers or any issues with any browser.

We have also recently switched the entire site to SSL (not just form / checkout pages) because Google are giving more weight to SSL sites both in terms of SEO and AdWords positioning.