Blog / SSL Hosting Is Essential in 2018 – This Is How We Provide It for Customers

By Will Hall June 5, 2018

SSL (Secured Socket Layer) is the new normal. In this article we’ll talk about our recommended policies for providing SSL to customers, how browsers will be handling SSL, and our outlook on SSL as a hosting service.

Contents

Refresher: What’s SSL?

  • SSL is that little lock in your browser window: Lock icon from Firefox web browser
  • SSL is 3rd party verification that you’re connected to the site that you think you are.
  • SSL is high-grade encryption to ensure that information you send and receive to and from a website can’t be read by anyone.
  • SSL is a signal to Google and other search engines that your site is just a bit more trustworthy; i.e., SSL improves your search engine ranking.
  • SSL is actually TLS (Transport Layer Security) nowadays. SSL has been deprecated for years in favor of the updated TLS protocol. But in general, everybody still calls the thing that makes your browser connection secure, “SSL”. So we’ll call it SSL in this article, too.

Read more: TLS on Wikipedia, HTTPS as a ranking signal

How sites look with and without SSL

It’s important to understand that SSL is everywhere now – it’s the new normal and sites without SSL will be increasingly penalized by search engines and browser windows.

Firefox and Chrome have been aggressively moving towards making SSL appear normal, while non-SSL sites will show a warning.

Secure vs Insecure sites - Chrome and Firefox on 2018-06-06
Secure vs Insecure sites – Chrome and Firefox – 2018-06-06

Things will get even tougher for non-SSL sites in the near future. Just look at this image from Chrome’s dev team in May 2018.

Chrome’s 2018 plan for making SSL the default.

Read more: Evolving Chrome’s Security Indicators, Thursday, 2018-05-17

Suffice to say, getting SSL for your site is a pretty good idea.

How we provide SSL hosting

We take a multifaceted approach to providing SSL hosting. Besides just installing an SSL certificate, we take several other steps to ensure that an SSL site functions correctly and smoothly.

Policy #1: SSL 301 redirect

Usually when a user types in your domain name, they won’t think to enter https:// at the front. So, they would by default land at the non-SSL version of your site.

Using a 301 redirect ensures that this doesn’t happen. When a visitor goes to the non-SSL version of your site, they’ll be instantly forwarded to the SSL version.

Here’s a snippet for the Apache web server that we use to detect non-SSL traffic, and direct it to the SSL version.

# If we are on the live domain, (not a testing domain), redirect http to https
RewriteCond %{HTTP_HOST} ^(www\.)?example\.com$
RewriteCond %{ENV:HTTPS} !on [NC]
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Policy #2: HSTS browser header

Web browsers now support a system called HSTS. Basically, it makes it so that after you visit a site with SSL, your browser will never allow a non-SSL connection to that site. It’s basically like the browser’s own internal 301 redirect. This is implemented with a header sent by the web server, which looks like this:

Strict-Transport-Security: max-age=15552000

Once the browser sees an instruction like that, it’ll prohibit insecure connections for your site.

Our hosting system provides HSTS support and we feel it’s a great way to ensure that users stay connected to your site via SSL.

Monthly check #1: Mixed content errors

Every month we perform two checks for each of our SSL enabled sites.

It turns out that even a site with an SSL certificate can still appear as “Not Secure” when errors are present. Mixed content errors are a class of browser errors that make the website look like it’s not fully secure. This happens when, for example, an image, script, or other file is not served over an SSL connection. The way browsers deal with these problems is constantly changing, but at a minimum, you will not see the “fully secure” indicator in the URL bar.

Firefox displaying a mixed content warning
Firefox displaying a mixed content warning.

To check for mixed content errors, we manually review the website as well as take a screenshot for our records. This way, we can verify when a problem came up. The cause of a newly introduced mixed content error is usually a plugin or improperly aembedded script. Fixing a mixed content error is usually a matter of changing a URL in the source code.

Read more: Mixed content at MDN

Monthly check #2: SSL scan with SSL Labs

Our second monthly SSL check is a scan provided by SSL Labs. An SSL scan ensures that the SSL certificate is still using the best available technology.

SSL Labs’ system connects to your web site over SSL, then does a series of tests for both the connection as well as the certificate itself.

If we don’t see an A+, we investigate the causes and correct them.

SSL scans are important because SSL technology changes fairly often. Events like Hearbtleed and SHA-1 deprecation required updates to SSL software and/or certificates.

SSL Labs showing an A+ results for an SSL-enabled site.
SSL Labs showing an A+ results for an SSL-enabled site.

SSL as a service

SSL used to be just another thing we had to annoy customers with whenever their certificate expired. But with SSL thankfully becoming ubiquitous, we consider it an opportunity to provide a value-added service. By offering monthly security checks we streamlined the process for both parties. We now consider SSL hosting, maintenance, and monthly security checks to be a unified, value-added product.

Get SSL Site Hosting

Will Hall

Web developer

More Posts

questions, comments, drinking buddy?

Contact Us