Mar 30, 2017 | 2 min read min read
Historically, a website would only use HTTPS if handling Personally Identifiable Information (PII) or processing payment transactions. Later, it became standard practice to switch an unsecured site to HTTPS only when taking any input from a user (such as email addresses, usernames, passwords). When browsing the web these days, you’ll see a little padlock icon in your browser’s address bar, indicating the site’s HTTPS secure standing, more often than not.
Though there was pushback for securing websites via HTTPS in the beginning, it’s now becoming a web best practice.
Why the pushback? Initially, serving a website via HTTPS increased the overhead on the webserver, and since more data is being transmitted, page load time slowed. Modern internet connections are so fast now this is no longer noticeable.
SSL certificates were also expensive to obtain, and often required extra effort and cost to install and maintain. Now, SSL certificates can now be obtained cheap — or free — and installation and monitoring can be easily handled through automation tools.
Recently, search engines have started giving a bit of an SEO bump to sites that are served exclusively via HTTPS and modern browsers will mark a site ‘insecure’ if it accepts user input via HTTP. These small efforts provide even more incentive to serve a website via HTTPS on top of the the already clear benefit of keep users and their data secure.
There are many more reasons to serve your website over HTTPS, and many many articles have already been published on this topic. I’m not going to attempt to expand on those, but if you’re interested in some additional reading, here’s a few posts to check out:
Last April, the Let’s Encrypt service launched, offering free, Certified Authority signed, SSL certificates, making the issue of cost of an SSL certificate non-existent. The only barrier that remains is the installation and maintenance of your certificate.
Making the maintenance slightly more complicated, Let’s Encrypt certificates are only valid for 90 days (and they may shorten that period in the future). On the surface, this may seem like another burden to running your site on HTTPS, but the automation that amazee.io built for this process makes it simple and painless.
Using Let’s Encrypt on amazee.io couldn’t be simpler. If you host with amazee.io, simply ping us in Slack and we can enable it for your site, same day.
Once we enable Let’s Encrypt for your site, we have invested the time to automate every other part of the process: a certificate request is created, the domains verified, and the certificate is created and added to the configuration for your site. We then poll the certificates on each server to see which are expiring soon, and renew them before you even have to think about it.