Sucuri, a website security company that specializes in securing WordPress (and other CMS) sites, announced that SSL certificates are now available at no cost to all customers who make use of the company’s firewall. As a sponsor of the Let’s Encrypt initiative, Sucuri joins Automattic as one of the first companies to fully automate free SSL Certificates for all customers. The company has also enabled the new HTTP/2 protocol by default, which offers significant performance advantages compared to raw HTTPS.
Unlike WordPress.com, which does not allow users to disable encryption, Sucuri offers a “No HTTPS” option which will force all traffic to be redirected to HTTP. Customers can also select from partial SSL, full SSL, and Custom SSL (where they can use their own certificates).
Despite their sponsorship of the Let’s Encrypt initiative, Sucuri’s founders emphasized that SSL support is not a magic wand that instantly makes your website secure, since it only protects information transferred between the browser and web server.
“Even though we are providing SSL certificates to all our clients, we don’t subscribe to the idea that every website needs HTTPS enabled,” Sucuri CTO Daniel Cid said. “The idea that this makes for a more secure web is inaccurate.”
Cid and co-founder Tony Perez share a perspective tempered by years of experience fixing hacked websites. The majority of compromises come through brute force attacks, software vulnerabilities, and DDOS attacks.
In a post titled HTTPS Does Not Secure Your Website, Sucuri CEO Tony Perez identified three general instances where SSL is essential: when transferring personal identifiable information, transaction data in e-commerce, and other sensitive data. Outside of these scenarios, HTTPS is not as critical.
“I have no doubt that HTTPS will continue to grow in popularity,” Perez said. “What I take exception to is when technology professionals say that one of the driving factors for HTTPS is it’ll secure your website, because it won’t.”
Sucuri only recommends HTTPS for customers who are already taking security seriously and want to add protection for data in transit. The company suggests putting more basic security measures in place first – keeping your software updated, implementing intrusion detection, getting code reviews, and storing passwords securely.