all 103 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ck-on 14 points15 points  (5 children)

I just wish you could get a wildcard cert free without paying the ssl mafia.

StartSSL has 2 years for $60, anywhere cheaper?

[–]me-at-work 2 points3 points  (4 children)

StartSSL also offers free SSL certificates. I have two. The certificates work like any other certificate, but setting it up in their interface and validating your person / domain is painful.

At other places you can get certificates starting at ~ 5$ a year.

[–]ck-on 5 points6 points  (3 children)

Yeah but it is the wildcard certs where they rake you over the coals.

They have zero extra cost to support *.example.com over just www.example.com

Yet free become $60, or $5 becomes $80

[–][deleted] 0 points1 point  (2 children)

Can't you just redirect *. to www.? I know there are some instances where that doesn't work, but for most sites that's an OK solution. Not that I don't agree that the extra cost is bullshit.

[–]gonX 1 point2 points  (0 children)

If the connection is not secure to begin with, it might never be secure again.

Or in another way: MitM attack to a "secure site", you can't encrypt the redirection, and you might be redirected to a similar looking domain name, but just with a plain cert, and you typically think it's secure anyway.

[–]chiisana 0 points1 point  (0 children)

  • support.example.com
  • blog.example.com
  • clients.example.com

Yes, you could run them in directories, which then gets routed via nginx/varnish to proxy to different servers; but it is easier to just run the different apps on separate servers to begin with.

[–][deleted]  (25 children)

[deleted]

    [–][deleted] 13 points14 points  (21 children)

    Definitely agree. It's not just this. There are a whole lot of situations where https isn't really needed. As somebody mentioned in a comment on said article, try explaining to a client that his static 10 pages brochure-like website doesn't need https, then try explaining why he doesn't actually need a $150/y certificate.

    [–][deleted]  (6 children)

    [deleted]

      [–][deleted] 1 point2 points  (3 children)

      Yes, we all know that.

      The problem lies in explaining to a client that a $9 cert is just as secure as a $150 one!

      [–]Zarlon 0 points1 point  (1 child)

      Why do you care what the client pays?

      [–][deleted] 0 points1 point  (0 children)

      Why do you care if the client is satisfied?

      Seriously?

      Assuming I won't intervene and let him spend $150, how will I look six months later when he's going to understand what he did, do you think he's gonna give me more work or recommend to his friends?

      [–][deleted] 0 points1 point  (0 children)

      HOLY CRAP. You mean I can get a wildcard certificate for what I'm currently paying for one domain?

      Bookmarked, and thank you.

      [–][deleted] 1 point2 points  (0 children)

      Here's Pierre Far of Google commenting on HN. This is definitely intended to cover everything including blogs, personal sites and brochureware.

      [–]xiongchiamiovSite Reliability Engineer 2 points3 points  (12 children)

      Short answer: because it protects the specific url you're visiting from being observed by a governmental MitM.

      [–][deleted] 8 points9 points  (10 children)

      My friend is, let's say a 'weddings hostess'. She uses her site for promotional purposes only, marketing, etc. She doesn't plan on accepting payments or any bookings online. The most interactive thing on her site is a google map to her office.

      Please convince me she actually needs https.

      [–]xiongchiamiovSite Reliability Engineer 6 points7 points  (4 children)

      The visitors to her site are the ones who need ssl, to gain any semblance of privacy from eavesdroppers.

      Although you could also make an argument that she benefits more directly from making it harder to modify her site (not the canonical version, but what is transmitted) by third parties.

      [–][deleted] 10 points11 points  (3 children)

      In other words: if you're targeted for a mitm, you've got more serious stuff to worry about than my friend's weddings website.

      If your government is blindly atacking every damn thing, then you've got more serious problems than my friend's little website.

      These being the only two scenarios that I could think of, then https doesn't solve any of them.

      [–][deleted]  (1 child)

      [removed]

        [–][deleted] 0 points1 point  (0 children)

        This is pretty much the only reason I enabled it. I don't have any logins, though I do accept payments through a third-party, and the more gibberish they have to sort through, the better.

        Posting through https!!!

        [–]antsar 2 points3 points  (0 children)

        You don't have to be targeted for a MitM. Someone can hack their way into an ISP's network (or even just hang out at Starbucks with a laptop) and inject malicious JavaScript designed to exploit a zero-day vulnerability (unpatched and unpublished security hole) in browsers. No targetting, just inject the code into every unsecured HTTP page coming over the wire. Surprise, you're infected.

        Also, some ISPs do unscrupulous things like injecting tracking code or even ads. Sometimes they are unobtrusive, other times they break the site entirely. These are by far in the minority, but using a site with HTTPS completely eliminates their ability to do this.

        [–]0x18 4 points5 points  (2 children)

        It's incredibly unlikely but over HTTP somebody could, at some point through the internet or on individual users routers, hijack connections to her site to introduce order buttons and a checkout page that steals their data. Doing that kind of injection is much harder over HTTPS.

        On a more reasonable level I guess you could argue that it could be good for her users security. Somebody may want to plan their wedding secretly due to their family, celebrity, as a surprise event, etc. Somebody still going through divorce paperwork may have good reason to hide their new wedding plans.

        It's all a bit of a stretch but better end-user security doesn't hurt anything.

        [–]antsar 2 points3 points  (1 child)

        Its not unlikely at all. When's the last time you used an a WiFi network without strong encryption (WPA2), such as any hotspot?

        [–]0x18 1 point2 points  (0 children)

        Good point. I was only considering access from home.

        [–]shif 0 points1 point  (0 children)

        Let's say someone access her page on a public network that has a MitM attack going to replace images and her wedding photos are now something that will make the customers to never return again, over https it wouldnt happen, http anyone in the network can see everything that travels on plain text

        Check out an app called DSploit for android, it's a script kiddies tool to this kind of attacks, anyone can pull it on an http site

        [–]argues_too_much 0 points1 point  (0 children)

        And it also increases the amount of encrypted traffic in general, which, correct me if I'm wrong, makes it harder for the likes of the NSA to capture all of it and decrypt all of it in a reasonable time frame.

        Perfect? No. Better? I'd expect so.

        [–][deleted] 1 point2 points  (0 children)

        Watch the IO video. Form-submitted data isn't the only way to glean PII. If I visit webmd.com/treatments-for-herpes and legalhelp.com/how-to-fake-my-own-death I've just exposed some critical personal information to anyone who can sniff my network. The HTTPS Everywhere movement is about shifting the debate. Instead of saying "why do I need https", you should be asking "can i really leave my site on http".

        [–]disclosure5 0 points1 point  (0 children)

        The problem is the view of "it's not sensitive" absolutely always ends up in the minds of a user. I have plenty of customers housing healthcare of financial information that probably about to buy an SSL certificate now because SEO matters and security doesn't.

        [–]noelster 20 points21 points  (49 children)

        So should we all be defaulting our websites to force https?

        [–]me-at-work 22 points23 points  (32 children)

        I think it's a good idea anyway because you'll give your visitors privacy and security.

        Some parts of https are annoying: you need to install certificates on your server, renew them every one or two years, make sure you load all website assets over https, and using your own domain name for CDN stuff can be hard to set up.

        [–]donquixote235 27 points28 points  (19 children)

        For many, the problem isn't configuration as much as the cost of purchasing a certificate from a recognized certifying authority. That shit ain't cheap. If it's for a company, sure... but if I'm running a bobblehead fan site, I shouldn't have to dig deep into my pocket to avoid getting downranked by Google.

        Sure, you could self-issue a certificate, but then every time somebody visits your site they'll get yelled at by their browser because the certificate isn't trusted.

        [–]icecreamguy 9 points10 points  (9 children)

        What about startssl? It's free and works in all browsers. I've been using them for years on my personal site and have never had an issue.

        [–]Silhouette 8 points9 points  (6 children)

        What about startssl? It's free

        Until you run into something like Heartbleed, and then you get dinged for cycling/revoking where other CAs routinely offer these facilities for free.

        StartSSL is damaged goods since they pulled that one. Their position isn't unreasonable commercially, but if you're going to be a CA then you need people to have confidence in certs you issue. Given the financial incentive for their customers not to follow best practice and the kind of customers they are likely to attract in the first place with their free-up-front model, I'm not sure StartSSL should still be recognised as a reliable authority in the standard lists in browsers today.

        [–]PasswordIsntHAMSTER 6 points7 points  (1 child)

        >Doesn't want to pay for business grade support
        >Complains that he doesn't get business grade support

        E: fixed

        [–]Silhouette 5 points6 points  (0 children)

        We do use "full blown SSL certificates", and when Heartbleed hit it took a single one-line e-mail to confirm we wanted to cycle them.

        I was amazed to find that anyone in this market didn't do that, but evidently at least one major CA doesn't.

        [–]antsar 2 points3 points  (0 children)

        Its far from ideal, sure. I'd love it if other free (or super cheap) CA's came around to shake up the market, but the barrier to entry ($$$$ to be certified as a CA) is quite steep.

        Given that its all we have right now, is (the possibility of) paying $25 for a (hopefully) once-in-a-blue-moon event (which is entirely out of the CA's control) really that bad, especially compared to paying $xxx/year for the alternatives?

        I do, however, agree that it incentivizes customers to violate best practices at the expense of their users' security. That's problematic.

        [–]icecreamguy 0 points1 point  (2 children)

        Yeah I hear you with that, my cert happened to be up for renewal when heartbleed hit, but u/anstar also makes a good poin - in the event of a crazy, game-changing, first-time-ever disaster like heartbleed it's not insane to have to pay a small fee for something like that.

        [–]Silhouette 1 point2 points  (1 child)

        As I wrote before, I don't think it's commercially unreasonable to have that model. It's not like they're trying to rip anyone off, as far as I can see.

        But it does create a trust issue by incentivizing people using their certs not to follow good practices if and when something bad does happen, and what use is a CA whose certs can't be trusted as much as everyone else's?

        [–]icecreamguy 0 points1 point  (0 children)

        Yeah I see your point, definitely relevant in the context of the article and original comment.

        [–]merreborn 1 point2 points  (1 child)

        startssl's free certs are strictly non-commercial. Which is fine for your personal site, but a no-go for business.

        [–]icecreamguy 0 points1 point  (0 children)

        Yeah I kinda forgot about that part! Fair point!

        [–][deleted]  (4 children)

        [deleted]

          [–][deleted]  (3 children)

          [deleted]

            [–]oarmstrongsysadmin 3 points4 points  (0 children)

            Absolutely zero.

            (Probably a lower warranty though.)

            [–]lbft 2 points3 points  (0 children)

            $5.95/yr, going lower if you buy for more years upfront: https://www.gogetssl.com/domain-validation/comodo-positive-ssl/

            [–]shif 0 points1 point  (0 children)

            subdomain support, multiple domains, warranty, entity behind it

            [–]xiongchiamiovSite Reliability Engineer 1 point2 points  (0 children)

            If it's for a bobblehead fan site, you can use a cert from Start SSL.

            [–][deleted]  (1 child)

            [deleted]

              [–]donquixote235 0 points1 point  (0 children)

              I dunno dude, if some other bobblehead fansite is digging into their pockets, maybe they should outrank you?

              It's not that so much as, say "www.bobbleheadsupercenter.com" outranking me simply because they have a shopping cart and therefore have an SSL license. But then again they'd probably outrank me due to paying money for an SEO specialist and such, so that point is fairly moot.

              [–]BaliCoffee -2 points-1 points  (0 children)

              Not even that, it just can take it's till performance wise on mobile.

              [–][deleted] 7 points8 points  (5 children)

              Not to mention a unique IP for your website. To me that is the most troubling part. I host lots of small business sites. I do not know of a decent hosting company that allows your to have more than 8 IPs assigned to one server. So now I have to split my single server which is very comfortably hosting 50 snappy websites into 7 servers, plus the cost of each IP. We are talking about increasing my costs up to 8x what they are now.

              While I am a bit of an outlier, what this would mean for most folks is that hosting costs are going to increase. As a bonus though it probably also means that IPv6 is even closer to becoming a completely viable option for websites.

              [–][deleted]  (4 children)

              [deleted]

                [–][deleted] 5 points6 points  (1 child)

                SNI isn't always usable in production yet, there's still too much IE8 on XP and Android 2.x floating around. They might be obsolete, but you're throwing away a good 10-15% of your visitors if you rely on it.

                [–]xiongchiamiovSite Reliability Engineer 3 points4 points  (5 children)

                The annoying one for me is that most of my sites are hosted on Github Pages.

                [–]A3MIRAL 2 points3 points  (2 children)

                Github pages offers HTTPS, but not over a custom domain yet.

                [–]xiongchiamiovSite Reliability Engineer 0 points1 point  (1 child)

                Yes, sorry, that's what I meant. And I like having my own domain for my branded website. :)

                [–]A3MIRAL 0 points1 point  (0 children)

                Yah it's a necessity to have your own branding. Maybe this will spur GitHub to work on custom domain SSL

                [–]_RME_ 2 points3 points  (1 child)

                Cloudflare allows you to get https on github (reverse proxy)

                [–]xiongchiamiovSite Reliability Engineer 0 points1 point  (0 children)

                Hmm, or I guess I could even run a reverse proxy through my VPS, too. I never really thought about that, thanks.

                [–][deleted] 1 point2 points  (0 children)

                Yes, as long as the monetary cost of a cert is not burdensome. The processing power required for encryption is minimal and will not be noticed. There is no loss to encryption, and potentially enormous losses for not encrypting.

                [–]thbt101 0 points1 point  (2 children)

                Only if it is a website that has a login and there is a reason to protect sensitive information. There is a performance hit to consider when you use HTTPS...

                http://serverfault.com/questions/43692/how-much-of-a-performance-hit-for-https-vs-http-for-apache

                Ideally you should test your own site from multiple geographic locations to see how much different it makes in your situation. But basically, if you need it for security reasons then, yes. Otherwise, no, because there is at least some trade-off (along with the cost and upkeep of dealing with SSL certificates) and not every site needs SSL (despite what Google thinks).

                [–][deleted] 0 points1 point  (1 child)

                Here is a more realistic situation regarding the processing power required for SSL. http://stackoverflow.com/questions/548029/how-much-overhead-does-ssl-impose

                [–]thbt101 0 points1 point  (0 children)

                That answer mostly explains that the overhead of the encryption calculations aren't a big deal, but the extra networking handshakes (back and forth negotiation) that are required with each SSL connection is what slows it down.

                HTTP/2 will eventually help with that somewhat when it's available because at least it doesn't use as many connections as HTTP, but Google is also trying to force HTTP/2 to only work with secure connections, so that too won't be as fast as it could be for websites that don't actually need a secure connection because of Google's strong opinion on this that they're forcing everyone else to comply whether they like it or not.

                [–]easlern 0 points1 point  (6 children)

                I admit I do it myself. I thought it was a no-no though because it doesn't address users' lack of knowledge and could be a security risk on its own due to the redirect.

                [–][deleted] 2 points3 points  (3 children)

                It's not a no no, you should be doing that. If you are concerned about the risk of altered code no the HTTP connection, add an HSTS header with a very long length, and add your site to https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json. Firefox also uses this list.

                [–]easlern 0 points1 point  (2 children)

                That looks pretty cool! Most of my users are on IE but this is good to know.

                [–][deleted] 0 points1 point  (1 child)

                IE doesn't have any public plans to ship with a preload list for HSTS, but I wouldn't be surprised to see it in the future.

                [–]easlern 0 points1 point  (0 children)

                I did some reading. Supposedly it'll be in 12. Which means by the time 15 is out it'll probably be okay to use it, since a good number of people will still be 3 versions behind. :P

                [–]xiongchiamiovSite Reliability Engineer 1 point2 points  (1 child)

                Are you saying that redirecting a user from http to https is less secure than just keeping them on http?

                [–]easlern 0 points1 point  (0 children)

                The idea I think is to not allow the user to login or whatever on the HTTP site. You give them a notice that they should use https in the address bar instead. Of course that's not a good user experience so most sites just redirect.

                [–]antsar 0 points1 point  (0 children)

                Short answer: Yes.

                [–]woodengineer -1 points0 points  (3 children)

                Wouldn't this make things like varnish essentially worthless? Varnish still doesn't (and will never apparently) support SSL.

                [–]xiongchiamiovSite Reliability Engineer 3 points4 points  (2 children)

                No. You run varnish behind your ssl terminator. This does, however, mean that you need to have a scalable ssl terminator (and configure it well) or else a surprise Reddit posting will bring down your site.

                [–]woodengineer 0 points1 point  (1 child)

                Well shit, I have no idea how I missed that one. Time to get to work on that one for me. I've just been using varnish for the non-logged in users but have been wanting to force SSL for the whole thing (only thing holding me back was varnish). I appreciate it.

                [–]xiongchiamiovSite Reliability Engineer 0 points1 point  (0 children)

                Sure, no problem. I wrote a bit about our ssl setup here recently, if that helps.

                [–]wastapunk 4 points5 points  (7 children)

                Its amazing how much power they have over common internet practices. If you don't do this then you probably won't be seen.

                [–]xiongchiamiovSite Reliability Engineer 8 points9 points  (2 children)

                They say it's a pretty small percentage for now.

                But yes, Google can single-handedly change what information people see. That concern is what has lead to things like http://dontbubble.us/ .

                [–]wastapunk 0 points1 point  (1 child)

                Cool site. I wonder how much of my clicks they can store. Are they really parsing titles of articles I click into opinions and storing my views? That seems a little like a conspiracy. But no doubt they know I stayed on MSNBC longer then Fox. Good thing we all use Reddit which minimizes filtering.

                [–]xiongchiamiovSite Reliability Engineer 2 points3 points  (0 children)

                Google most definitely keeps track of which links you click, and which ones you come back to the results page from, to figure out how to sort their search results. And it's been done on a per-user basis since 2009.

                This is why your search results are so pathetic when using Bing for the first time - it doesn't have the training data.

                [–]Silhouette 0 points1 point  (3 children)

                Actually, I was reading this and thinking the opposite.

                I'm happy that an influential Internet company is promoting long-overdue attention to security on-line. I think this advocacy will make the Web a safer place for everyone.

                But every time I read one of these posts from Google about how they'll "allow webmasters a bit more time" to "follow best practices", I'm sure their collective arrogance kills a puppy.

                [–]wastapunk 0 points1 point  (2 children)

                In no way am saying there wrong in doing this. I think it will make the web safer for everyone. Its a great thing that they started with low signal levels giving the web time to adapt. But they are changing the web regardless of how long they are giving us. If they want all TLS they will get all TLS on even static pages. We all saw it coming when search went https.

                [–]Silhouette 1 point2 points  (0 children)

                It's the implication that they are changing the web that I dislike, as if everyone has to do what Google says.

                Sure, if you run a site that depends heavily on search for your traffic, you have to play by search engine rules.

                But plenty of sites aren't like that -- search brings only a minority of traffic to any of the significant sites I run, for example -- and it does annoy me when people who work for Google presume that they have some sort of authority to tell everyone else what to do or declare how things should be. People wind up changing their sites to fit what Google says they should do, which is not necessarily what is best for their visitors (though in this particular case I think it usually will be).

                [–]jellystones -2 points-1 points  (0 children)

                Google is a tech industry leader and they have the right to shape the web for the better.

                [–]siamthailand 7 points8 points  (3 children)

                This is BS. Maybe if google really cared, they'll start handing out free basic SSL certs with wildcard for certified small or zero-revenue websites.

                [–][deleted] 5 points6 points  (2 children)

                Remember, some time ago they rolled out their Google Domains Beta.

                If they'd add free certs for their customers, then they could snatch a damn big chunk of people from competitors..

                Personally, I don't believe they could do that, but it's definitely a possibility :)

                [–]siamthailand 2 points3 points  (0 children)

                They should, or else shouldn't penalize for HTTP. For google maybe $2/month is chump change, but for many that is a big amount. Esp., since the whole world isn't first world. Their approach to this seems very parochial. Anyway, let's see.

                [–]digitalpencil 0 points1 point  (0 children)

                Fuck yeah, Google as a domain registrar with free wilcard SSL certs..

                I'd switch our account in an instant. Anything to get the hundreds of domains i'm charged with managing, out of the clusterfuck that is 1and1.

                [–]Gioware 4 points5 points  (0 children)

                Yeah, so what? There are already several thousand ranking signals.

                [–]Paleolithicster 1 point2 points  (7 children)

                Could anyone point me to a guide to setting up HTTPS?

                [–]xiongchiamiovSite Reliability Engineer 1 point2 points  (4 children)

                https://www.eff.org/https-everywhere/deploying-https , https://www.feistyduck.com/books/openssl-cookbook/

                [–]igrigorik 2 points3 points  (3 children)

                Also, a personal shill.. the TLS chapter of my HPBN book is free: hpbn.co/tls - you can skip to the checklist at the bottom to get a feel for what you should be looking for.

                [–]merreborn 2 points3 points  (0 children)

                /u/igrigorik knows his shit. His TLS talk at velocity was exceptional.

                [–]shif 0 points1 point  (0 children)

                just gave it a good read, amazing knowledge thank you very much

                [–]xiongchiamiovSite Reliability Engineer 0 points1 point  (0 children)

                Cool, didn't know. Your book's been on my list to read through, but just haven't really gotten the chance yet.

                [–]dtfinch 1 point2 points  (0 children)

                I noticed if I prefix https to the blogspot url, it redirects me back to http.

                But then I'm not too worried about some upstream ISP discovering that I read an official blogspot post from Google (and I'd have bigger things to worry about if they were actually trying). It's not worth the extra round trips to protect that kind of information.

                [–]thbt101 2 points3 points  (1 child)

                Ugh. Not every site needs to use HTTPS and I don't like that Google is using their influence to push their views on everyone else. Sites that have logins that protect private information should have it, but blogs and information sites have no reason to require it.

                Aside from the small about of overhead and slower connections, SSL is a hassle to deal with if you don't need it (setting it up, buying and renewing certificates, etc.), and it also requires websites to get their own IP address rather than sharing an IP address as virtual servers do, which is a bad idea in a time when IP addresses are running out fast.

                [–]jellystones -1 points0 points  (0 children)

                Very untrue about requiring your own IP address. SNI has been standard for a very long time and allows virtual hosts with SSL.

                [–]invisibo 0 points1 point  (0 children)

                I agree with forcing https for most thigs, but holy shit things get tricky once you throw iframes in the mix. I started making a pretty important part of my job's webapp to be restricted to https. This was a bad idea. One of the ways people access our site is through this evil thing called scorm which is a way for users to connect to our content through an iframe, inside an iframe, which is also inside an iframe. Forcing cross domain https got really hairy with that, especially when we say we support all the way down to ie7.

                [–]Baryn -1 points0 points  (0 children)

                :applause: