In this post, we’ll cover what SSL Certification is (short answer: that “https” thing), why bloggers should care about it (short answer: don’t freak out if you don’t have it), and how to get it entirely free (Fergus did it in roughly half an hour!).
Steve from Think, Save, Retire wrote a great piece on what SSL is, why it matters, and why it generally does not matter much to blogs. Steve’s got a wonderful blog, has very recently retired, and is super supportive in the Personal Finance blogging community.
There are, however, two additional things about SSL certification that are important to note that prompted us to write this article:
- SSL Certification does not mean $$$
- There are instances where it could make a security difference to blogs
What is SSL Certification?
Secure Sockets Layer (SSL) is a security standard that encrypts information between websites and end users in a browser. Sites that have certification will show up as “https” instead of “HTTP” in the address bar. [for the most part, at least; some sites default to non-encrypted/http but have an encrpyted/https option]. With SSL, it is almost impossible for eavesdroppers to intercept information between the website and users.
Never submit any financial information over an HTTP connection (and of course always be careful in general of who you give sensitive information to – as Steve pointed out in his article, https does not mean the site isn’t just a phishing scam).
Without SSL, your internet provider and anyone else on your local network (including employers) can see exactly what pages you visit and any information transferred. With SSL, the most they can see are domain names. Now, internet providers knowing where you browse may not sound super scary at first, but keep in mind they have been known to give backdoor access to the NSA and other government entities.
Why Should Bloggers Care About SSL?
|SEO||Hit to Ad Revenue|
|Privacy/Safety||Time and/or Money to Set Up|
Possible Hit to Ad Revenue
As Steve points out, ad revenue seems to have taken a hit for many bloggers, at least in the short term.
Google currently claims, “All ads that come from any Google source always support HTTPS, including AdWords, AdSense, or DoubleClick Ad Exchange.” This means that theoretically there will be no change in revenue if your site exclusively uses Google sources for ads. They further give several examples of large sites that have made the transition with no significant impact to ad revenue. Other ad services or direct ads, however, may not work as expected. This will likely change over time with more adoption of SSL.
For this blog, the only possible ad-related revenue would be through affiliate links, and those seem to work fine. Since we still have not had any profit, it’s very hard to face a decline in said profit.
SSL is Not the Default for Hosting Providers, Meaning Effort is Required
Some companies offer SSL services with an upfront cost of $60+ for certification. Alternatively, you can get it for free, but it will take some non-zero amount of effort. Fergus was able to set us up with SSL in roughly half an hour, with the majority of that time spent looking up passwords for our web host and WordPress accounts. That said, Fergus holds degrees in Computer Science, so, it may take more time to DIY if you’ve never used a terminal or command line.
Now, it used to be a lot more difficult to go HTTPS – I saw some videos, and it was not pretty. However, lucky for us that Let’s Encrypt exists! And if your host provider is on this list and/or you have shell access, you can have tools like CertBot do all the hard stuff (Shout out to EFF, you guys are the best! <3). We use Digital Ocean (referral link for $10 off) as our provider, and they have a step-by-step tutorial that walked us through the whole process.
And now…we get an A rating from Qualys SSL Labs (that’s better than Facebook)!
SEO Rankings Benefit from SSL
There is a slight benefit in SEO rankings for sites that use SSL. In 2014, Google announced that HTTPS would be used as a ranking signal.
For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it.
I haven’t seen posts since that suggest they have already begun strengthening the signal, so it is possible it still only affects 1% of queries. Basically, don’t lose sleep over it.
Now, clearly, if you’re at all dealing with sensitive information such as usernames and passwords, you should of course 100% be using SSL. But what about blogs?
There are 2 main security conditions for bloggers to think about (both fairly low-risk and require the eavesdropper to be on the same network (e.g. public wi-fi)):
- Without HTTPS connections, a hacker could intercept communication between your server and your readers and modify this information, pretending to be your server.
Users could be redirected to a super-spammy site that loads their computers up with viruses, or could add spammy links in your article. Spammy and annoying, for sure.
- Without HTTPS connections, comments made by readers could be snooped on, meaning that someone could link your reader’s IP address to their name, and email.
This information could then be used with other information gleaned from other unsecured websites to gain a larger picture of the victim for elaborate phishing scams or the like, or the name and email could simply be added to listservs no one wants to be on.
I may be very biased, but isn’t Fluffster just the cutest in that photo??
Ahem. Yes. Privacy. We’re anonymous bloggers, so we do tend to value privacy. If you are perusing around Personal Finance blogs at work, your employer could have access to the full list of webpages you visit. Just read some articles about FU Funds and Quitting work? Your employer most likely has access to those logs.
Also, if we’re ever maintaining the site on the go, say at an airport, we want to know that we can add more adorable pictures of Fluffster without fear of someone stealing our log-in information, or without someone else connecting our blogging identities with our names.
For the Greater Good
The goal of Google and others is to establish encryption as the norm. More adoption of HTTPS forces this default, making the internet a safer place, and allowing for stricter standards down the line (Not everyone gets an A grade *cough* Facebook *cough*). It was simple for us, and so far we’ve had no issues on the site. In fact, I’d be glad to lend a hand in transitioning your site during #FinCon17 if anyone’s interested!
Do you have an HTTPS site? Have you noticed any issues? Have you thought about transitioning?