Encrypting the site

I've just moved my site from HTTP over to HTTPS.  It's not a huge deal for something like this, but it's something which I've really needed to do for a while, and something which is becoming more and more popular.  For most people this won't mean much, and for this site it doesn't make much difference, but given that encrypting web pages is a simple process, there's no real reason not to be doing it.

I chose to use Let's Encrypt for setting up the SSL certificate as I've always had trouble in the past when I've tried it (admittedly under Apache on Windows) but this made it as simple as possible.  Just get their 'certbot'. run a command in the terminal and away we go.  I did have to set an additional IP address on the server, and then set this site to use that IP address to listen on, but once that was done, it was very straight forward.  The command I ran was:

./certbot-auto --apache -d garybell.co.uk -d www.garybell.co.uk

and then follow the prompts on screen.  It took care of the new vhost in Apache, setting up the certificate and restarting Apache.  Done! Simple.

With all that in mind, it amazes me that there are websites out there which will take payments and they aren't loading their page over HTTPS.  Sure they will load the payment section in a HTTPS iframe, but it's often difficult to tell that the payment part is an iframe, and that it is secure.  After going through the process of setting up the SSL certificate on this and another domain I own, I certainly won't buy from a company which serves their payment page in a HTTPS iframe, but fails to serve their website over HTTPS.

How much does it cost to get an SSL certificate?  It depends.  If you go via one of the major routes, then anything form around $30 right up into the hundreds.  It depends on what you want and where you shop.  With let's encrypt it costs nothing.  Zero! I have yet to pay for the SSL certificates I have from them, and I don't have to pay if I don't want to or can't afford it.  That said, I will be donating something to them for providing the service.  They estimate it costs them just over $2m a year to run, and they have over 5m unexpired certificates.  If each one of those certificates contributed $1 each, then they would get enough to keep the service running for 2 years.

Given the cost of the certificates are free, and the barrier to getting it is essentially nil for anyone with some technical knowledge, there's really no reason not to encrypt!