Where do you buy SSL Certificates?

Forums › IT Pro and developers › Where do you buy SSL Certificates?

1 | 2 | 3

Webhead
3257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1663277 3-Nov-2016 12:30

Letsencrypt is brilliant. Its free, and its available with auto renew on all the hosting platforms I use for my customers and its being used to secure admin logins and more and more to have the sites be full SSL.

A lot of sites will be moving to SSL when Google Chrome make their warning of non-encrypted websites more visible. (Chrome already shows a ! on sites without SSL, and will begin to show a notice after the ! in not too long).

Besides, SSL actually gives a little SEO boost already on Google, and allows for using HTTP/2 which really can speed up a website.

Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

michaelmurfy

meow
13257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1663306 3-Nov-2016 13:22

I don't have anything running over HTTP - it is HTTPS with either Letsencrypt or Cloudflare SSL. I just have a cron job to run the renewal scripts.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

mattwnz

20164 posts

Uber Geek

#1663322 3-Nov-2016 13:52

jarledb:

Letsencrypt is brilliant. Its free, and its available with auto renew on all the hosting platforms I use for my customers and its being used to secure admin logins and more and more to have the sites be full SSL.

A lot of sites will be moving to SSL when Google Chrome make their warning of non-encrypted websites more visible. (Chrome already shows a ! on sites without SSL, and will begin to show a notice after the ! in not too long).

Besides, SSL actually gives a little SEO boost already on Google, and allows for using HTTP/2 which really can speed up a website.

I can't see it making any difference, and potentially such a warning is misleading, as it gives the impression that simply visiting the site could be a risk to the visitor. Most sites however don't need an SSL certificate, and sitewide HTTPS isn't used much, even big retailers like the warehouse don't use it. It can also give the false imporession a website secure, whe it isn't, for eaxmple an old wordpress website with security holes is still going to be a security risk, with or without HTTPS. So it could give people false information regarding the sites security. You really only need it for things such as shopping carts when someone is logging in. Although I know quite a few shopping carts that don't even have it for that which isn't good.

I don't believe there is any proof that there is any SEO benefit with having a SSL. I recall reading something recently where they tested it, and found there was no proof of any SEO benefit.

http://www.seoblog.com/2014/10/website-owners-overestimating-https-seo-benefits/

hio77

12999 posts

Uber Geek

ID Verified

Trusted

Lizard Networks

#1663324 3-Nov-2016 13:56

Personally i go for PositiveSSL certs for anything that is not absolutely crucial but requires SSL.

even go as far as to having one for the router.. Probably a little excessive but least its not self-signed!

Lets encrypt is a cool system, but can be a fair bit of work in some cases unfortunately.

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

jarledb

Webhead
3257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1663336 3-Nov-2016 14:38

mattwnz:

I can't see it making any difference, and potentially such a warning is misleading, as i gives the impression that simply visiting the site could be a risk to the visitor.

Most sites however don't need an SSL certificate, and sitewide HTTPS isn't used much

Using SSL when the web is moving that way is going to become quite necessary. If nothing else, to be able to get referer information from https sites linking to yours.

Browsers will not send a referrer when linking from HTTPS to HTTP

even big retailers like the warehouse don't use it.

Don't make the mistake of looking at how people do something wrong to justify not doing it. Any ecommerce site should be using SSL for their full site, both for security but also as a part of the signal to the customer to trust the site.

It can also give the false imporession a website secure, whe it isn't, for eaxmple an old wordpress website with security holes is still going to be a security risk, with or without HTTPS.

That is true, but Google and others are actually dealing with malware infested sites by warning the users before they hit infested pages. That will not stop working with a site using SSL.

So it could give people false information regarding the sites security.

Also true, but that should be handled by other mechanisms in any case.

You really only need it for things such as shopping carts when someone is logging in. Although I know quite a few shopping carts that don't even have it for that which isn't good.

Thats not true. Using SSL actually secures a site from man in the middle attacks. So all sites should be using it. If I wanted to infect business people at large scale, I could easily set up fake Wi-fi hotspots at airports and insert zero day exploits on pages such as Stuff, NZherald etc.

I could also do the same with Trademe, and make sure that people paid me instead of Trademe when "winning a bid", that I also could manipulate quite easily.

If those sites were running SSL that would be impossible.

I don't believe there is any proof that there is any SEO benefit with having a SSL. I recall reading something recently where they tested it, and found there was no proof of any SEO benefit.

http://www.seoblog.com/2014/10/website-owners-overestimating-https-seo-benefits/

Thats funny. The article you link to raises a few problems which are implementation problems when going from HTTP to HTTPS, but it also has these portions:

Google took a stance. A secure site is better than an equivalent site without security. A site using HTTPS would gain a small benefit to their search ranking. In other words, site security was officially a search ranking factor.
Google telling webmasters that SSL is a valid ranking factor is a drive to push webmasters into implementing site-wide HTTPS connections, even if the benefit they would receive is nearly negligible.

BTW: Google has removed the SEO-penalty for 301 redirects. Probably because of their push to get the web over to SSL. So as long as your change from HTTP to HTTPS is implemented correctly, you won't get any SEO penalties for redirecting (with a 301) from the HTTP to the HTTPS version.

Dulouz

883 posts

Ultimate Geek

#1663388 3-Nov-2016 16:59

I use https://www.ssls.com - reasonable price and no issues.

Amanon

tardtasticx

3075 posts

Uber Geek

#1663491 3-Nov-2016 21:42

I use LetsEncrypt as well. The setup is painless and it auto renews so no big deal. Does the job and a fine one at that.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

amanzi

Amanzi
1299 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1663583 4-Nov-2016 10:00

Two free options you for you to consider for securing websites:

1 - as others have mentioned, Let's Encrypt is a great solution if you have full control over your web server. The short lifetime of the certs isn't an issue because part of the setup procedure is creating a cron job that renews the certs for you in the background. This works really well and is free.

2 - you can also use CloudFlare to secure your site without even touching the configuration on the website, and this is available on the free plan. CloudFlare presents a SSL cert so that traffic is secured between visitors and the CloudFlare servers. Then you have two options for the traffic between CloudFlare and your webserver: you can leave the traffic unencrypted, or, you can install a self-signed cert and configure your website to use HTTPS so the full traffic flow is encrypted. (visitors won't see any cert warnings, even if using a self-signed cert)

timmmay

20581 posts

Uber Geek

Trusted

Lifetime subscriber

#1663641 4-Nov-2016 11:40

I actually use both Let's Encrypt and CloudFlare. Having Let's Encrypt means CloudFlare can connect to my web server over https, so it has end to end security.

If you use CloudFlare you should set up your firewall to prevent direct connections, other than say your own PC so you can SSH in. That's really easy to do on AWS, security group = firewall.

jarledb

Webhead
3257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1663690 4-Nov-2016 12:00

timmmay:

I actually use both Let's Encrypt and CloudFlare. Having Let's Encrypt means CloudFlare can connect to my web server over https, so it has end to end security.

If you use CloudFlare you should set up your firewall to prevent direct connections, other than say your own PC so you can SSH in. That's really easy to do on AWS, security group = firewall.

For regular webhosting you can use a .htaccess rule and deny all ip-addresses except for CloudFlares to make sure its not possible to access the site by going directly to your ip-address.

sleemanj

1490 posts

Uber Geek

#1664195 5-Nov-2016 13:01

FWIW, my wildcard is a Comodo cert, purchased through namecheap.com

I have a couple of letsencrypt certs on some sites but most of my things I can push through the wildcard.

I fully expect to see that SSL becomes the norm rather than the exception in the reasonably near future, now that SNI is well supported.

---
James Sleeman
I sell lots of stuff for electronic enthusiasts...

michaelmurfy

meow
13257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1664222 5-Nov-2016 13:29

jarledb:

timmmay:

I actually use both Let's Encrypt and CloudFlare. Having Let's Encrypt means CloudFlare can connect to my web server over https, so it has end to end security.

If you use CloudFlare you should set up your firewall to prevent direct connections, other than say your own PC so you can SSH in. That's really easy to do on AWS, security group = firewall.

For regular webhosting you can use a .htaccess rule and deny all ip-addresses except for CloudFlares to make sure its not possible to access the site by going directly to your ip-address.

I've written a blog article on doing this via firewall rules Here (a little better than doing it via .htaccess since your server is literally invisible to the internet). Furthermore with Cloudflare there is an option to generate an Origin Certificate which you can use on your Web Server for strict SSL communication to Cloudflare. That is what I personally use anyway.

vulcannz

436 posts

Ultimate Geek
Inactive user

#1665060 7-Nov-2016 14:53

jarledb:

Thats not true. Using SSL actually secures a site from man in the middle attacks. So all sites should be using it. If I wanted to infect business people at large scale, I could easily set up fake Wi-fi hotspots at airports and insert zero day exploits on pages such as Stuff, NZherald etc.

I could also do the same with Trademe, and make sure that people paid me instead of Trademe when "winning a bid", that I also could manipulate quite easily.

If those sites were running SSL that would be impossible.

That is not true. MITM will either throw a warning (and given how users blindly click on stuff like spam getting them to go past an SSL warning is not that hard), or if you install a resigning cert on the end client it will do nothing at all. I run SSL inspection on plenty of boxes, and even on my guest Wifi network at home (it has a link to install the cert, which people do without question).

I don't disagree with the need for SSL. But if you think it stops MITM you've got a nasty surprise coming ;)

jarledb

Webhead
3257 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1665068 7-Nov-2016 15:04

vulcannz:

That is not true. MITM will either throw a warning (and given how users blindly click on stuff like spam getting them to go past an SSL warning is not that hard), or if you install a resigning cert on the end client it will do nothing at all.

There's no cure for people being stupid. Google have however worked on making the security notice more effective.

As to getting a cert onto the end client. If a hacker has access to the end point, then SSL warnings is the least of your problems.

zespri

414 posts

Ultimate Geek

Lifetime subscriber

#1721006 16-Feb-2017 08:45

Thank you to everyone who contributed. I have been running on Letsencrypt for a last few months, and it's been a joy.

Very nice and polished solution, and also free. I hope it will stick around.

1 | 2 | 3