Site icon Sophos News

With 4 months to switch on HTTPS, are web hosting companies ready?

Ticking clock

Like it or not, if your website isn’t using HTTPS (the encrypted version of the web’s HTTP protocol) by July then you’re likely to lose traffic.
That’s because in July 2018 Google Chrome, the world’s most popular browser, will start warning users that web pages served over HTTP are not secure (they aren’t).
This isn’t an empty threat, Chrome has been turning the screw on HTTP for a number of years and Google Search already gives sites with HTTPS a boost in its search rankings. You should expect other browsers to follow Chrome’s lead.
In other words, if you’re buying web hosting you’re going to want HTTPS. I wondered if the major web hosting companies were standing by, ready to help.

TLS/SSL

Turning on HTTPS means installing an SSL certificate. (These days they’re actually TLS certificates but the old term, SSL, has stuck and it’s the one the hosting industry uses, so I’ll be using it for the rest of this article.)
With four months to go before Google starts warning users about HTTP being insecure, I wanted to see if the big web hosting companies are making it easy for new customers to dodge this bullet.
I wanted to know what a new, non-technical customer would be faced with: are the hosting companies using terms that buyers spooked by Chrome’s deadline might have seen – terms like SSL, TLS or HTTPS; is SSL now mandatory or opt-out by default in their hosting packages; and what, in a world where free SSL certificates are easily obtained, are the hosting companies charging for SSL?
In short – does the path of least resistance lead non-technical customers to a site protected by HTTPS?

Shared hosting

Web hosting is the place you put your website – if your website were a building then hosting would be the land it’s built on (and your domain would be a signpost telling people where to find it).
In this article I focus on what new customers see when they buy shared hosting, the simplest and cheapest kind of web hosting. Straightforward and popular, shared hosting packages are the kind of thing that somebody might buy for their their small business website.
I looked at SSL support in shared hosting packages offered by five of the top US hosting companies by market share, according to HostAdvice. (Amazon Web Services, RackSpace and SoftLayer are not included because they don’t offer products in the entry-level, shared hosting space.)

The results

The table below displays the following information:

Host Plan SSL Annual Cost
Offered Opt-out Named Free Plan SSL Total
GoDaddy Economy $95.88 $74.99 $170.87
Deluxe $131.88 $74.99 $206.87
Ultimate $203.88 $0 $203.88
1&1 Basic $95.88 $0 $95.88
Unlimited Plus $119.88 $0 $119.88
Unlimited Pro $179.88 $0 $179.88
Bluehost Basic $95.88 $39.99 $135.87
Plus $131.88 $39.99 $171.87
Prime $179.88 $39.99 $219.87
HostGator Hatchling Plan $107.40
Baby Plan $143.40 $19.95 163.35
Business Plan $203.40 $0 $203.40
DreamHost Shared Hosting $107.40 $0 $107.40

SSL is widely supported across the shared hosting packages I looked at, although the cost varies enormously and makes a significant difference to the total annual cost of hosting.
For example, 1&1 and GoDaddy both offer packages costing $95.88 without introductory offers.  1&1’s SSL is included in the price while GoDaddy’s domain validated SSL certificates – the same kind of validation you get with a free Let’s Encrypt SSL certificate – are an eye watering $75.
In some cases the design of the sign-up process or the language used seems likely to cause confusion.
When I first looked at Bluehost I noticed its selected-by-default “SiteLock Security – Find” option included a “Site Verification Certificate”, which I assumed was an SSL certificate. I later found a separate option for SSL and despite a good look at the SiteLock and Bluehost websites I still don’t know what a site “Site Verification Certificate” is.
Bluehost’s SSL option, Comodo PositiveSSL Bundle, is hidden when the default term of 36 months is selected. It only appears if you select 12 months of hosting, offered for an extra at $39.99.
Its disappearance for longer terms isn’t explained anywhere and it took Bluehost support about 15 minutes to tell me that it’s because SSL is not available for the longer terms:

Looks like it is only for 12 months. My suggestion would br to go for a PRO plan in which you get a free dedicated IP and SSL

So SSL isn’t available if I buy 36 months?

Yes

OK, thanks

This seems unlikely but at least one Bluehost representative thinks it’s true. Either way, the path of least resistance for a new customer isn’t exactly a path of low resistance.

Who’s ready?

Twelve of the thirteen shared hosting plans I reviewed offered SSL and six plans included it in the price of twelve months hosting: DreamHost’s Shared Hosting; 1&1’s Basic, Unlimited Plus and Unlimited Pro; GoDaddy’s Ultimate plan and HostGator’s Business Plan.
If you have details of SSL support for companies not listed here, feel free to add them to the comments below (no ads please – just address the questions in my chart).

LEARN MORE ABOUT HTTPS

Listen to Naked Security Podcast Episode 2 (HTTPS segment starts at 08’45”):

(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)

Intro music: http://www.purple-planet.com

Closing music: https://thespacelords1.bandcamp.com

Exit mobile version