You likely haven’t noticed yet, but if you look at the top corner of your browser, you should be seeing a little lock symbol up there for the first time (at least when you came to this site). For years now, Signal-Chief has been served up on straight HTTP. I was never really worried about it because there is no personal information on the site, and the only person who actually logged into it was me (and I use unique passwords on everything). As Troy Hunt pointed out in his blog in July of this year, out of the current Alexa 1 Million websites, only about 20% of them were serving up on HTTPS however Firefox was reporting that nearly 60% of the traffic that it’s browsers served were using HTTPS.
One of the reason’s I’ve held off on using SSL up until now is because I don’t make a dime off of Signal-Chief and SSL certificates cost money ($60-100+ a year). In my mind, that cost hasn’t made it worth while to use SSL given very small amount of data that I actually care about being encrypted. And then, two things changed. First, on Sept 14, 2015 Let’s Encrypt issued out its first certificate. Let’s Encrypt is a joint venture between companies like Mozilla, Cisco, Electronic Frontier Foundation, and many many others who have partnered together to make a FREE certificate authority. This means that now it was fairly “easy” for any website to get a trusted SSL certificate that would be accepted by default from the majority of browsers at no cost. Let’s Encrypt has the stated goal of making the Internet 100% encrypted, and they seem to be well on their way. By June of this year, they had issued out over 100 million certificates to over 50 million sites.
The other thing that has changed is that browsers are now making it more and more obvious when you are using a site that doesn’t use HTTPS. Until recently, about the only warning that you got was the lack of a little lock icon on the screen when you browsed to a site using HTTP instead of HTTPS. Earlier this year, Firefox changed things up when it started to warn you that you were entering passwords and other information on a form that wasn’t using HTTPS.
Now Chrome has joined the club and is about to make it very obvious when you aren’t using HTTPS when your browse the web.
So that’s it. Rather than have people get concerned about the safety of my site, I figured it was time to make the leap and start using SSL on Signal-Chief and come of age. As I said the other day, this is one of the reasons why I upgrade my GoDaddy hosting account to a VPS because my last account didn’t support SSL (unless I wanted to shell out $60 for one of GoDaddy’s certificates). It was my plan to go ahead and include the steps I had to take to get SSL working in this post, but it’s already a little bit longer than I had planned so I will do that on a follow-on post. Until then….enjoy secure browsing.