I was surprised recently when speaking with a friend about the Be Devious WordPress Hosting services I’ve just launched, when I told him that I’ll be including SSL for free for all the websites I sell. He didn’t know what SSL was, but that wasn’t what surprised me, he’s far less geeky than I.
But when I went on to say “you know, when you get the little green padlock at the top? That one you’re supposed to check for before entering your card details online?“. Nope, he had no idea. I thought that message had gotten through!
So turns out some people still don’t know what this is. But if you have a website you need to, and it is becoming more and more the consensus that you should have it.
What is SSL / TLS / HTTPS?
Secure Socket Layer / Transport Layer Security / Hypertext Transfer Protocol Secure.
That cleared it up for you?
No?
OK, I’m not going to go in to detail about this works right now, as it’s not specifically required for this article. In general, without SSL, any information that is sent from your browser to a web server is sent “as is”. i.e. it’s just sent as text. So if I log in to a site with myusername and mypassword, anyone clever enough and with a mind to intercept or log that message can pretty much just pick out my login details.
When SSL is in place, before your browser sends anything out it encrypts it. That is, it turns it into a meaningless mess of letters, numbers and special characters. The only way it is possible to translate this back to what it was in the first place is to pass it to the web server which has the key to unlock the code.
That’s it in a nut shell.
SSL can be considered relatively expensive, especially for small businesses, blogs or non-profits. It is considered by many that making whether or not you secure user’s personal information or not a financial one isn’t a good thing. Enter LetsEncrypt…
What is LetsEncrypt?
SSL certificates are issued by bodies called Certificate Authorities. Those who are trusted to issue SSL certificates work with those who make browsers so that if a website attempts to use a certificate that isn’t trusted, your browser can warn you of this.
LetsEncrypt is a new Certificate Authority backed by some big players including Automattic (WordPress) and Google (Google). Their advisory board has also got some big boys sat on it including folks from Mozilla, Akamai and Cisco, so you know it is the real deal.
These guys are committed to six key principles – Free, Automatic, Secure, Transparent, Open, Collaborative. I think we can all get on board so far yes?
What you can take away from this is that they want to take the financial angle out of security and make the internet a safer place for all.
Another important point to note is a new technology HTTP2, a major upgrade in how websites work and will have a large impact on website speed only works with SSL, therefore it’s in everyone’s interest to secure their sites to be ready for their servers to be upgraded to use HTTP2.
Ways to use LetsEncrypt
So first off theirs a couple of ways to get a certificate from these guys that does require some technical knowledge. And by that I mean you need to know how to use the command line. If this doesn’t sound like you, or you’ve never heard of SSH or Shell access, I suggest you don’t attempt this.
If you think this is for you, I’m not going to reinvent the wheel, there’s a couple of really decent run throughs of this provided on the WPMU blog:
Personally I’ve found that it is considerably easier to pass the “heavy lifting” of this process to someone else. Fortunately Plesk has provided an add-on to not only install certificates but manage the renewals for you, and for a small price you can purchase one for cPanel.
Did I mention that all Be Devious WordPress Hosting comes with a LetsEncrypt certificate set up for you on your domain? And that all Be Devious Web Hosting uses Plesk and has the LetsEncrypt extension available for you to install certificates to your heart’s content?
Maybe I did, oh well, you definitely know now!
Limitations
Of course there have to be some limitations. I’d be interested in hearing from people if there are more that need to go onto this list…
Wildcards
When you set up an SSL certificate, you need to specify the domains that you want to include. Normally you’d want at least mydomain.com and www.mydomain.com covered. You may also wish to cover all of your sub-domains as well, i.e. subdomain.mydomain.com – in the general SSL market, you can get something called a wildcard certificate. This means all your subdomains are included automatically, often written as *.mydomain.com ( * = all ).
LetsEncrypt have stated that they don’t support wildcards and don’t plan to.
Via the command line and Certbot methods you can list multiple domains for one certificate and so you could include numerous sub-domains, however you’d need to update this every time you created a new sub-domain.
The Plesk extension currently only supports the www. and non-www. versions of a domain and there are no further options.
I’ll come on to how to work around this shortly
[bedev_widget_area]
Browser Compatibility
During the Beta stage of testing there were a number of issues raised with compatibility of certain browsers on certain operating systems. Google Chrome on Windows XP and Windows Vista to name a couple. These were resolved, but it is possible that older browsers and operating systems could in future throw security warnings for valid LetsEncrypt certificates.
It’s something to be aware of. Personally I have opted for the more affordable, higher level of security and at every opportunity recommend people stop using outdated and unsupported browsers and operating systems.
Renewals
Depending on the method of set up, you may need to manually manage certificate renewals. LetsEncrypt certificates are only valid for 90 days. This is to enforce faster and more frequent updates that is especially handy if security vulnerabilities are discovered. i.e. if someone figures out how to hack LetsEncrypt, you are a maximum of 90 days away from getting a new certificate. If you’re smart and engaged you will renew sooner.
The extensions offered for Plesk and cPanel handle all the renewal processes for you, and the Plesk extension even revokes certificates automatically when a domain is deleted from the control panel.
Rate Limits
There are limits on how many certificates can be registered per week, per domain and per IP address. If you’re requesting enough for this to affect you, I’m assuming you’re technical enough to read about the limits directly from the source.
WordPress
LetsEncrypt works just fine with WordPress. Here’s a few handy tips to look at.
.htaccess
.htaccess is an Apache file that essentially is the last point that your server might interject on a request being made by a visitors browser before it hands of to the WordPress php files to generate a webpage. It is commonly used for enforcing redirects and can be handy for managing requests and forcing them to head to the https version of your site.
A quick Googling of the topic will show you numerous options of what to use here, but through my experimentation, here’s what works best:
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
This is my preferred method because it captures every request not using SSL and dynamically redirects to the host AND the URL. It is assumed a lot of the time that your website only makes use of one domain. If you are using WordPress multisite with multiple domains, sub-domains, sub-directory sites and mapped domains, this should have you covered.
Updating everything to HTTPS
An important point to note is that when using SSL, all requests for resources on a website must also be requested over SSL. If they are not they will either not be downloaded – which would cause the page to look terrible or malfunction in the case of images, style sheets and javascript files, or to throw a security warning.
My recommendation is to use the Really Simple SSL plugin – this adds another few rules to your .htaccess as well as makes some updates to the database to ensure that requests for resources are updated.
If you are using a CDN, you’ll also need to make sure that they offer SSL access to your pull zones.
Are you using SSL? What’s your experience?
Setting up SSL can be easy, but it can also cause some headaches. Share your experiences and tips in the comments below.
[bedev_widget_area]
Leave a Reply
You must be logged in to post a comment.