I’ve set up multiple (and when I say multiple, I mean thousands) of websites before. Whether through a sub domain service, or using my own domains, I know what it means to keep my viewers safe.
However, Google has recently spoken out against insecure websites saying that they won’t index them on the first few pages of their search engine. And, just to top it all off, they are rolling out a feature for Chrome that makes you confirm that you want to visit the “insecure” website.
Well, as it turns out, it’s not an attack on insecure websites, just on the standard HTTP protocol. They, along with many other Internet Authorities, want HTTPS to become the new standard. These Internet Authorities, such as Google, DigiCert, GeoTrust, Symantec, and Comodo, want you to use their services to give your site that shiny HTTPS extension.
The issue is that there are so many different types of security certificates, called SSL/TLS certificates. There are a few types, such as DV (domain validation), which is the standard. This will show visitors a lock icon in the address bar when viewing your site. This is now the minimum for Google’s site indexing. Then, there’s EV (extended validation), which gives you that green address bar. The point is, with so many options, which one should you choose?
Let’s first talk about your budget. This is important, because each certificate authority, or CA, charges differently for a certificate. Luckily, since HTTPS is now becoming a standard, prices have been lowered for most standard certificates. The problem is that they are still progressively pricy. A standard DV certificate could cost you anywhere from $10/yr to $200/yr. An EV certificate can cost more than $1000! This makes for a very competitive market, because each CA wants you to spend your precious money on them, when in reality, it doesn’t matter who you buy from.
But wait, there has to be an alternative, right? Yeah! There does. If you have the access to the right materials, you can sign your own certificate. Only, it won’t be trusted by any major browsers, meaning only you will know how secure you are. However, free DV SSL certificates are floating around, you just have to know where to find them. StartSSL used to be the largest provider of free certificates, but their roots are no longer trusted in modern browsers.
Hold on, there’s more. Let’s Encrypt, a brand new CA started in 2016, has taken over the free certificate market, and they are already trusted in all major browsers. They provide free DV certificates to anyone, and you can get a virtually unlimited number of certificates from them. For example, this site and all the sites with “sulliops.co” in them are secured with a Let’s Encrypt certificate. There is even a plugin for cPanel, the largest website management platform in the world, that allows you to get a certificate with the click of a button.
So, if you own a website and want it to live up to new standards, I encourage you to check out Let’s Encrypt.