How to Get Free SSL Certification, and Why That Matters

In this post, we’ll cover what SSL Certification is (short answer: that “https” thing), why bloggers should care about it (short answer: don’t freak out if you don’t have it), and how to get it entirely free (Fergus did it in roughly half an hour!).

Steve from Think, Save, Retire wrote a great piece on what SSL is, why it matters, and why it generally does not matter much to blogs. Steve’s got a wonderful blog, has very recently retired, and is super supportive in the Personal Finance blogging community.

There are, however, two additional things about SSL certification that are important to note that prompted us to write this article:

  1. SSL Certification does not mean $$$
  2. There are instances where it could make a security difference to blogs

What is SSL Certification?

Secure Sockets Layer (SSL) is a security standard that encrypts information between websites and end users in a browser. Sites that have certification will show up as “https” instead of “HTTP” in the address bar. [for the most part, at least; some sites default to non-encrypted/http but have an encrpyted/https option]. With SSL, it is almost impossible for eavesdroppers to intercept information between the website and users. 

Never submit any financial information over an HTTP connection (and of course always be careful in general of who you give sensitive information to – as Steve pointed out in his article, https does not mean the site isn’t just a phishing scam).

Without SSL, your internet provider and anyone else on your local network (including employers) can see exactly what pages you visit and any information transferred. With SSL, the most they can see are domain names. Now, internet providers knowing where you browse may not sound super scary at first, but keep in mind they have been known to give backdoor access to the NSA and other government entities.

Why Should Bloggers Care About SSL?

Pros Cons
SEO Hit to Ad Revenue
Privacy/Safety Time and/or Money to Set Up

Possible Hit to Ad Revenue

As Steve points out, ad revenue seems to have taken a hit for many bloggers, at least in the short term.

Google currently claims, “All ads that come from any Google source always support HTTPS, including AdWords, AdSense, or DoubleClick Ad Exchange.” This means that theoretically there will be no change in revenue if your site exclusively uses Google sources for ads. They further give several examples of large sites that have made the transition with no significant impact to ad revenue. Other ad services or direct ads, however, may not work as expected. This will likely change over time with more adoption of SSL.

For this blog, the only possible ad-related revenue would be through affiliate links, and those seem to work fine. Since we still have not had any profit, it’s very hard to face a decline in said profit.

SSL is Not the Default for Hosting Providers, Meaning Effort is Required

Some companies offer SSL services with an upfront cost of $60+ for certification. Alternatively, you can get it for free, but it will take some non-zero amount of effort. Fergus was able to set us up with SSL in roughly half an hour, with the majority of that time spent looking up passwords for our web host and WordPress accounts. That said, Fergus holds degrees in Computer Science, so, it may take more time to DIY if you’ve never used a terminal or command line.

Now, it used to be a lot more difficult to go HTTPS – I saw some videos, and it was not pretty. However, lucky for us that Let’s Encrypt exists! And if your host provider is on this list and/or you have shell access, you can have tools like CertBot do all the hard stuff (Shout out to EFF, you guys are the best! <3). We use Digital Ocean (referral link for $10 off) as our provider, and they have a step-by-step tutorial that walked us through the whole process.

And now…we get an A rating from Qualys SSL Labs (that’s better than Facebook)!

A Rating from Qualys SSL Labs

My overly-grade conscious younger self would be so proud…

SEO Rankings Benefit from SSL

There is a slight benefit in SEO rankings for sites that use SSL. In 2014, Google announced that HTTPS would be used as a ranking signal.

For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it.

I haven’t seen posts since that suggest they have already begun strengthening the signal, so it is possible it still only affects 1% of queries. Basically, don’t lose sleep over it.

Security

Now, clearly, if you’re at all dealing with sensitive information such as usernames and passwords, you should of course 100% be using SSL. But what about blogs?

There are 2 main security conditions for bloggers to think about (both fairly low-risk and require the eavesdropper to be on the same network (e.g. public wi-fi)):

  1. Without HTTPS connections, a hacker could intercept communication between your server and your readers and modify this information, pretending to be your server.

Users could be redirected to a super-spammy site that loads their computers up with viruses, or could add spammy links in your article. Spammy and annoying, for sure.

  1.  Without HTTPS connections, comments made by readers could be snooped on, meaning that someone could link your reader’s IP address to their name, and email.

This information could then be used with other information gleaned from other unsecured websites to gain a larger picture of the victim for elaborate phishing scams or the like, or the name and email could simply be added to listservs no one wants to be on.

Privacy

Golden Retriever, Fluffster, looking at camera with eye patch

Privacy, not piracy! Silly dog…

 

I may be very biased, but isn’t Fluffster just the cutest in that photo??

Ahem. Yes. Privacy. We’re anonymous bloggers, so we do tend to value privacy. If you are perusing around Personal Finance blogs at work, your employer could have access to the full list of webpages you visit. Just read some articles about FU Funds and Quitting work? Your employer most likely has access to those logs.

Also, if we’re ever maintaining the site on the go, say at an airport, we want to know that we can add more adorable pictures of Fluffster without fear of someone stealing our log-in information, or without someone else connecting our blogging identities with our names.

For the Greater Good

The goal of Google and others is to establish encryption as the norm. More adoption of HTTPS forces this default, making the internet a safer place, and allowing for stricter standards down the line (Not everyone gets an A grade *cough* Facebook *cough*). It was simple for us, and so far we’ve had no issues on the site. In fact, I’d be glad to lend a hand in transitioning your site during #FinCon17 if anyone’s interested!

Do you have an HTTPS site? Have you noticed any issues? Have you thought about transitioning?

Follow

6 thoughts on “How to Get Free SSL Certification, and Why That Matters

  1. Hi Felicity!

    I totally respect your decision to go the SSL route. There is absolutely nothing wrong with supporting SSL and, like you mentioned, the cert will prevent “man-in-the-middle” attacks…if preventing that kind of threat is important. I think this ultimately comes down to personal preference unless you’re passing around sensitive information. In such a case, SSL *should* be supported.

    I use Digital Ocean as well, so if I do decide to support SSL in the future, it should be a fairly straightforward process. Can’t beat that!

Leave a Reply

Your email address will not be published.