Time for SSL-only internet

There is really no reason why you should not be running  only HTTPS (also known as HTTP over TLS, or Transport Layer Security), on your website. Even you are not running any authentication today there is a good change you will in the future. Furthermore, if you care about SEO Google is going to rank your site higher when you have taken care of security (See: HTTPS as a ranking signal). 

I have been lately configuring few sites to run in HTTPS and here are some tips.

  • Decide the kind of certificate you need: single, multi-domain, or wildcard certificate
  • You need dedicated IP, it’s easier that way
  • Buying certificate. If you are new on HTTPS and you are not sure which certificate to buy, then buy the cheapest one with single domain. If you are paying more than 10 USD for the certificate and you just need to get your website working on HTTPS then you are probably paying for extra.
  • Make sure you are use 2048-bit key certificates, I don’t think anyone is selling anything else anymore.
  • Use relative URLs for resources that reside on the same secure domain
  • Use protocol relative URLs for all other domains. This means you need to ensure that all third party services support SSL because otherwise you’ll give your users browser warnings alongside some security concerns. For example if you use javascript CDN make sure URL’s are pointing src=”http://cdn. => src=//cdn
  • Check out Google Site move article for more guidelines on how to change your website’s address
  • Don’t block your HTTPS site from crawling using robots.txt
  • Allow indexing of your pages by search engines where possible. Avoid the noindex robots meta tag.
  • Configure redirect from HTTP to HTTPS
  • I recommend RapidSSL or PositiveSSL I have been using PositiveSSL from namecheap but there is even cheaper ones in https://www.cheapestssls.com/. Also there is free certificate at https://www.startssl.com/ but I have not try it personally. Though, free is probably never free. Maybe it is OK for test enviroments and sandboxes but I would use RapidSSL or PositiveSSL for production. 

Be secure out there… you can test your server security level and configuration with the Qualys Lab tool.

 

1 thought on “Time for SSL-only internet”

Comments are closed.