Towards a Secure and Safe Internet
Around one year ago, Google Chrome announced that they would begin marking all sites that are not encrypted with HTTPS as “not secure” in their browser. This move essentially started shaming websites by displaying a “Not Secure” marker in the address bar. However this happened only when the site collected passwords or credit card info.
Later in 2017, they further announced their next steps towards a more secure internet. In this step the warning came up in two more situations: when people enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.
This war was waged on the grounds that when you load a website over HTTP, someone else on the network can look at or change the site before it gets to you. This definitely was a meaningful fight.
Here’s the rub — Chrome has made switching over to https as a basic hygiene for every site. Starting July 2018 Chrome will begin displaying the “Not Secure” mark on all http websites.
For the major players out there this news will not matter. For the very small personal blog/ web sites with dedicated fans, this again might be a trivial affair. However if you were running a fledgling company that was so far unwilling to shell out in buying your own SSL/ TLS certificate this might cause some concerns.
To offset this there are several means by which you can procure your own certificate for free. I wanted to cover some of these in this post.
Option 1: Google Cloud
In the beginning of 2017, Google established Google Trust Services which now operates several Root Certificates. For the next one year they have been smartly lobbying for the cause of a secure internet.
Yes — Google Cloud! I think this whole drama of forcing https in one way or the other was to drive more folks in exploring Google’s other products. In this case Google Cloud.
Basically you map a domain to your app, prove ownership, and App Engine automatically provisions an SSL certificate and renews it whenever necessary, at no additional cost. Managed SSL certificates in App Engine is free - for now. Time will tell if Google will stay committed to this cause or will change tunes!
Google also run their own Domain purchasing service, which they have kindly integrated as a link inside their Cloud setup walk-through. Talk about coincidences!
Option 2: AWS
You cannot keep Amazon away from the thick of action can you? However, this might not be for everyone. Amazon’s suite of services grows at an incredible pace. For many small players it might be tedious to keep up with this growth without employing Associate/ Professional Developers/ Solution Architects.
Nonetheless, the landing page for pricing of AWS Certificate Manager is kept super simple. So simple, in fact, that you might just pause and glance up to the security sign on your address bar!
Option 3: Letsencrypt
When the who’s who of the internet sponsor’s you, you deserve a mention. I would not have known about them had my hosting support not pointed me in their direction.
If you are having your website hosted and are in good control of the virtual/ physical machine hosting your site files i.e. have shell access to your web host, Letsencrypt is a good choice. To get a certificate issued to you, they use something called Certbot client.
For those without shell access they recommend that your host (if you are lucky and they are in this list) can ask a certificate on your behalf. In the worst case they recommend uploading Custom Certificates installed on your computer and uploaded to your hosting provider — but this option is not for everyone.
A feature I am looking forward to is Wildcard certificates. This will be rolling out by end of Feb 2018. What this means is you can add the https across all sub-domains of your website using wildcard like *.<DOMAIN_NAME>.com. If you host using DigitalOcean, do give this Tutorial a read — step 3 covers how you can use an automated job to auto-renew the certificate issued by Certbot which expires at the end of every 90 days.
Alternate Options
There are few sites like gethttpsforfree.com, trusted CAs like Comodo and third parties like Instantssl who issue a time-bound free certificate.
Employing these will either mean you will have to face the hassle of certificate installation, renewal yourself or pay for a longer certificate at a later point. So I am not covering these in much detail in this post. However feel free to share your experiences with them in the comments section.
This ongoing saga might be phase two of Google’s masterplan. Maybe in the next one it might become mandatory for sites to have https without which the user will need to add an exception for the website in the browser’s setting to use it.
While other major web browsers may not get into this game, I am of the belief that eventually the propaganda of a safe and secure internet is extremely strong to be ignored. It would be counter intuitive to not follow suite.
Watch this YouTube video while you are looking into this topic to understand even an unimportant website will need https. If you have read my previous article, you would have noticed my concern about the rise of smart scam plaguing the internet. A concept like https will surely go a long way in helping cut down many such issues.
While I do not have bias towards any of the above options, I personally employed option 3 as:
- My website is small and I did not want to get muddled up with Google/ Amazon.
2. I felt much more in control with this option.
I did ran into minor issues when installing https for my website using Certbot, but was put to ease by the amount of help available via a simple Google search.
I am pretty sure that there are loads of other methods to get your free https issued. I just wanted to get the ball rolling. Hopefully we will get more helpful references in the comments. Until then, thank you for giving this post a patient read till the very end!
