18 Comments

  1. AJ

    This will become very expensive for a lot of people who use web hosts that do not offer LetsEncrypt, but instead charges a lot of money for SSL. Mine charges $75 per site per year, so with multiple sites, this can get expensive. The host I use, and have for many years, makes me cringe to think I may have to move to a new host with LetsEncrypt, but I may have to make that sacrifice and move.

    The fact people will be seeing these warning messages before entering a site, could end up costing a lot of visitors and money to the site owners. People will be scared off when they see the Not Secure messages.

    Report

    • Steven Gliebe

      Hosts that don’t support Let’s Encrypt are going to have a harder time competing. There are plenty of hosts out there offering free, automatic SSL certificates that are happy to move new customers off of hosts like yours for free.

      Report

  2. Vishwajeet Kumar

    Yes, Google now forcing webmasters to move to HTTPS. I have also move my site to https and have seen a hike in rankings. I think its a good move to make the web more secure.

    Report

  3. Aida Lundquist

    Absolutely right what Google does to force it to use https! If the lame webmasters don’t do it the fall down in ranking and users get warned because of a not secure website. I think every browser creator should follow that to make the net more secure for us users.

    Report

  4. Mic Sumner

    If your hosting provider doesn’t allow SSL for free, then they are making a big mistake!

    I believe that all hosting providers should give every customer the feature to install even Lets Encrypt Open SSL.

    It’s just the most obvious thing to do. Afterwards, they may provide SSL certificates which provide security compensation.

    But the fact of the matter of this little rant is that we should go for hosts which provide Lets Encrypt.

    If you are at a loss wishing to stay with your hosting provider even though they currently don’t provide a free SSL service, then you can always setup your website with CloudFlare, which is free and there is a way to setup HTTPS through reverse proxy.

    I’ve completed a setup for CloudFlare with my clients and the gains are instant! You’ll also get CloudFlare’s HTTP/2 which is what makes HTTPS fast (not to be confused with HTTP/2).

    I just hope that everyone of you guys don’t get caught in the middle for having to pay for a regular green https just because you didn’t know we have free options available!

    Kind regards,

    Mic Sumner

    Report

  5. Pawan

    It’s really good move to keep web secure. I don’t see any reason that hosting providers will give a free SSL as they can see Google’s forcing HTTPS as an opportunity to gain in business of selling SSL certificate.

    Report

    • Steven Gliebe

      Any host that sticks with that strategy will lose new sign ups in the long-run. In a few years it will be laughable that a host is so behind the times that they’re not providing free SSL certificates. They’ll fizzle and die.

      “Wait, you want me to pay for an SSL certificate?”

      Report

  6. Dumitru Brinzan

    Google forcing website owners buy SSL certificates will increase the yearly expenses for websites, especially when you own more than just one website.
    Not many will be happy to increase their yearly expenses by $30-$100 PER WEBSITE.

    P.S. Last month I’ve moved 2 websites (1 e-commerce, 1 content-based) and have seen zero changes in rankings.

    Report

    • Peter

      SSL certs are free or it cost under 10$ if somebody wish to pay it. Sure you saw zero ranking changes, it’s a standard already, nothing new or rarely seen, that will diff. you from other websites.

      Report

    • Bob

      Looks like somebody missed the memo on Let’s Encrypt.

      It’s FREE!!!!

      Report

    • Josh

      If you’re paying 30-100 for ssl, you’re paying too much.

      Report

    • Steven Gliebe

      Even wildcard certs will be free soon. I don’t think anybody’s going to need to pay for anything unless they want something like an EV cert.

      Report

  7. Bright Joe

    I recently launched a tech blog, and come on, I don’t want to use HTTPS on that. This is not good, my tech blog is just about guides and tips, I have nothing to do with secure access like logging in or even putting any delicate information on my blog.

    That’s pretty… bad. :(

    Report

    • Steven Gliebe

      Consider that the transmission of your password is not encrypted when you log into /wp-admin/ over http.

      Report

    • Al

      Yes, that was a helpful reply. Thank you for that.

      I have to agree with Bright Joe here. There is no intrinsic need for a security certificate from a Certificate Authority (CA) on a website that is simply a blog, especially if it is just plain HTML… without any data capture.

      If you are really concerned about security, use a VPN and not rely on SSL. There is a bit of overhead to it, but it is about as secure as you can get. Of course, bank/financial and medical, and similar sites that collect personal info should be protected… and I can’t think of one that isn’t these days (making a VPN somewhat redundant.)

      No one has explained to me why Google is on the road to requiring Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) for every website… but I have to surmise that there is a dollar sign behind their motivation somewhere. Do they own a CA somewhere?

      There is no doubt that the Comodo’s of the world will cash in!

      Report

  8. Al

    If your host allows it you can easily install Let’s Encrypt using their CertBot. However, some hosts don’t give you root permission and CertBot needs it.

    If that is the case, many hosts have a manual way for you to get a Let’s Encrypt certificate and sending it to them and they will install it for free.

    We use this site and it works well.

    For those of you who host on Pair.com as we do, we wrote this… actually for ourselves… so we would not forget how to do the procedure!!

    The downside with hosts that don’t support Let’s Encrypt internally is that the host (obviously) can’t auto-renew the certificates and they expire every 3 months… so you have to do the procedure 4 times a year.

    Perhaps paying the ten bucks a year is a better idea… but if you have some 20 domains as we do for our different businesses, maybe not. It does not take very long but it is a PITA, for sure.

    Report

  9. Jeffrey

    I use CloudFlare’s flexible SSL with no charge. I understand it is not a complete SSL and I wonder if Google will still display the message for my site.

    Report

  10. Steven Gliebe

    It’s pretty clear that a lot of education about HTTPS/SSL needs to be done. I’m really glad Google is making this an unavoidable issue.

    Report

Comments are closed.

%d bloggers like this: