If you haven’t figured it out yet, there’s almost always a cost to FREE, not necessarily a monetary cost but a cost none the less.
Free Advice usually isn’t the best advice – right?
Free TV (your local broadcast) comes with commercials – right?
Free WiFi usually comes with an ad screen from the provider, not to mention the packet sniffers trying to capture your online banking passwords – right?
Don’t even get me started on Free Candy – you know what they say, “fool me once…” 😉
Which brings us to today’s topic:
SSL Certs are the backbone of making your site https. I’ve been writing a lot about that kind of stuff since Google publicly decided that they want all the web to be secure. While they are entitled to their opinion they also threw their weight at it – and when Google speaks, you should listen.
They announced that https was going to be a ranking signal – for those that are concerned about SEO, they are talking specifically to you!
Then they announced that their browsers were going to warn everyone that a site was UNSECURE before loading that page. Make no mistake. this time they were talking to ALL site owners.
I was nothing but excited when Let’s Encrypt first came out. You see, depending on the type of SSL Cert you need they can cost a considerable amount of money. My SSL Cert costs me $150 a year. Let’s Encrypt offers basic SSL Certs for FREE!
That’s great, right?
Truth be told yes it is. It really is.
Today, most hosting companies will offer a Free SSL when you start building your site. That’s great too.
So what’s the catch?
Most every SSL Cert out there is valid for a year. With some you can even buy 4 years worth at a time!
Not so with Let’s Encrypt.
Now to be perfectly fair – they also make the automation of renewals possible (all of this stuff happens within your host, it’s not something you or I would do).
Why in the world would they do that?
From their website:
- They limit damage from key compromise and mis-issuance. Stolen keys and mis-issued certificates are valid for a shorter period of time.
- They encourage automation, which is absolutely essential for ease-of-use. If we’re going to move the entire Web to HTTPS, we can’t continue to expect system administrators to manually handle renewals. Once issuance and renewal are automated, shorter lifetimes won’t be any less convenient than longer ones.
They go on to say
We recommend that subscribers renew every sixty days.
Those are very good reasons. The problem is that automation sometimes isn’t automatic.
Recently I was working on a website we were developing. It had a free SSL CERT that was supposed to be automated. Well, guess what? Yup, the free SSL expired and guess what automatically did not happen?
For almost 5 days everyone was looking at the site like this:
When I say everyone I mean mostly me, the developer. The site wasn’t live yet, but with a bad SSL, everyone is blocked from getting your site. Luckily for us, the site was in development so few people actually saw the warning.
Can you imagine if this was your site and it was up and running – how would you feel?
To be fair – this wasn’t Let’s Encrypt’s fault it was the hosting company who’s automation didn’t do it’s thing the way it should. I have a few others who’s SSL Cert renewed just fine. I’d even say that you might never see this happen to your site using a FREE SSL CERT. But if you do there’s not much that you can do about it except wait for host to fix the issue – and that really sucks!
I’m currently working on making customer sites secure these days and if at all possible I’m recommending that they NOT go with FREE – at least not right now until the hosts get this all figured out.
I’ll use it for the sites that don’t matter much like my motorcycling blog but if it matters I’ll go with NON FREE for now – thanks.
Want to hire me to make your site SECURE? Just ask!
Photo by Robert Zunikoff on Unsplash