3 Ways to Secure your Website for Free
November 2016 — I have updated a new method here Free SSL for everyone!
It was only six months ago that I was asked to add SSL/HTTPS to a new website. We needed to secure 10 different web servers, each with its own subdomain. After looking into the cost of buying a single certificate for each server, it quickly became apparent that we needed to purchase a wildcard domain name. One SSL certificate that would work for all our servers. Even though this was the “cheaper” option, it still would cost $499 a year through Thawte. Really, a modern website does not have any choice but to serve content over HTTPS. Especially when you consider that in iOS9, Apple have made it compulsory with the addition of the App Transport Security Feature, a feature that rejects insecure content by default.
…the world of SSL has been shaken up…
Since buying the wildcard certificate the world of SSL has been shaken up and there are now many ways you can secure your site without paying a penny extra. Each implementation has its own pros and cons, so it’s best to explore all options before making your decision.
1. Let’s Encrypt
Let’s Encrypt is a non-profit organisation based in California that is working with leading companies in the industry such as Facebook, Mozilla, Google and Cisco to create a free, automated and open certificate authority. One of the downsides of using a certificate issued from Let’s Encrypt is that it only lasts for 90 days before you have to renew it. There are tools available to automate the procedure so that every time your server is deployed the certificate can be renewed. However, this short lifespan needs to be taken into consideration when making the decision to go with this option. There is also a tool that can create you a certificate from a manual form, which will give you an opportunity to try the certificate out, although I would not recommend it in production.
Create a HTTPS certificate for free at https://gethttpsforfree.com/
Pros
- Free
- Backing by Industry
Cons
- 90 day certificates
- Still in Beta
2. AWS Certificate Manager
Following on the heels of Let’s Encrypt, Amazon announced that they too would be offering an SSL/TLS certificate for free. It’s a great option if you are using AWS already to host your site. They take care of renewals for you so there’s no need to worry about your webpage becoming unavailable. They also take care of the SSL configuration so you don’t have to choose the most up-to-date cyphers, key-length and hash signatures. Because of this you never see the private keys, meaning that you don’t have to worry about keeping them secure. However, this does mean that the SSL can’t be moved outside of AWS so you will have to be using either the Elastic Load Balancer or CloudFront.
Pros
- Free
- You never see the Private Key
- Automatic Renewals
- No SSL configuration
Cons
- Limited to AWS (Elastic Load Balancer or CloudFront)
3. Heroku
Heroku have always provided free SSL termination to all apps on the *.herokuapp.com domain. This means that when hosting an API on Heroku you do not have to pay extra for SSL. You get free SSL out-of-the-box. However, this option is really only applicable if you do not require a custom domain name such as www.example.com. You can still use custom domain names on Heroku, but they do charge.
Pros
- Free
- You never see the Private Key
- Automatic Renewals
- Zero SSL configuration
Cons
- No custom domain
Conclusion
So there are the 3 options each with their own pros and cons. Do you update the website within 3 months? Then it is worth considering Let’s Encrypt. If you host your servers on AWS using Elastic Load Balancer or CloudFront then go with option 2. If it’s an API or a website that is not public facing, then consider the free SSL from Heroku.
Enjoyed the article? Sign up to my newsletter
Enjoyed the article? Recommend it by pressing heart ❤ Below, Thanks.
