The web is constantly changing and improving. Last year we saw a huge trend for mobile and responsive websites. This year, the biggest trend will be securing the web. This movement started April 12, 2016, with the launch of Let’s Encrypt.
Let’s Encrypt provides free digital certificates for HTTPS. They are one of the first certificate authorities to offer digital certificates without charging a yearly renewal cost.
In just over 8 months, they have provided an estimated 83,000 certificates worldwide, and are now the leading certificate authority. This has opened the door to securing the web and setting the standard for HTTPS protocol to be readily available for every website.
Limitations of Let’s Encrypt
With all free things, there are limitations.
The most obvious limitation is that their certificates must renew every 3 months, as opposed to the typical 1-year minimum by most other providers.
Another limitation is that you cannot create wildcard certificates. A wildcard certificate can represent your domain, as well as specific (or all) subdomains on your domain. Because of this, you would need to create a certificate for rcdesign.com and for blog.rcdesign.com separately.
There are certain types of certificates which are not available through their free service. Organization validation (OV) and Extended validation (EV) certificates are not offered by Let’s Encrypt.
Benefits of securing your site
There have been countless articles written on the advantages of SSL Certificates. The highlights are:
Encrypting sensitive information
SSL provides authentication between your website and your users’ computers. It ensures the information that your users send to you, as well as information you send to your users, is encrypted and safe.
SSL Provides trust to Users
As HTTPS becomes an emerging trend, more users are aware of what SSL provides, and seeing it on your website ensures they can feel safe while exploring your company.
SSL allows for accepting payments directly within your website
Payment gateways now require SSL certificates on your website if you are going to be passing any payment information. If you want to keep customers on your site while they are trying to purchase your products, you need to have this enabled.
Things are already in motion
There are already some fairly important features potentially on your website that now require HTTPS protocol.
Chrome and Safari no longer allow websites to ask for their users’ geolocation information if you do not have a secure connection.
This isn’t a new one, but any website that involves the input of credit cards or other payment information must be over HTTPS. There are some solutions (like PayPal) that allow you to bypass this requirement, but most payment gateways (Authorize.net, Moneris, Beanstream to name a few) require you to have HTTPS before they will accept connections from your site.
According to the Google Security Blog, Google Chrome will begin marking pages insecure that collect information, have user login forms, or credit card fields. This will start happening as soon as this month (January 2017).
Major Browsers (Chrome, Firefox) both released updates this week, which now flag sites that have login forms or accept other sensitive information and don’t use the HTTPS protocol.
While you can still use the websites that do not yet use HTTPS, this is a huge indicator towards enforcement in the future.
Google Chrome version 56 puts a “Not Secure” notice beside the URL.
Firefox version 51 has an even more aggressive notice beside the URL.
HTTPS at RC Design
We changed our hosting provider for the majority of our clients in the fall of 2016 and now use a managed WordPress host for all of our WordPress sites. We have partnered with Flywheel as our choice of managed WordPress hosting solutions.
Flywheel has partnered with Let’s Encrypt to integrate certificate renewals. We have passed this benefit over to our customers and now enable HTTPS for free on every WordPress site we host that does not have limitations on the certificate we can provide.