Like it or not, if your website isn’t using HTTPS (the encrypted version of the web’s HTTP protocol) by July then you’re likely to lose traffic.
That’s because in July 2018 Google Chrome, the world’s most popular browser, will start warning users that web pages served over HTTP are not secure (they aren’t).
This isn’t an empty threat, Chrome has been turning the screw on HTTP for a number of years and Google Search already gives sites with HTTPS a boost in its search rankings. You should expect other browsers to follow Chrome’s lead.
In other words, if you’re buying web hosting you’re going to want HTTPS. I wondered if the major web hosting companies were standing by, ready to help.
TLS/SSL
Turning on HTTPS means installing an SSL certificate. (These days they’re actually TLS certificates but the old term, SSL, has stuck and it’s the one the hosting industry uses, so I’ll be using it for the rest of this article.)
With four months to go before Google starts warning users about HTTP being insecure, I wanted to see if the big web hosting companies are making it easy for new customers to dodge this bullet.
I wanted to know what a new, non-technical customer would be faced with: are the hosting companies using terms that buyers spooked by Chrome’s deadline might have seen – terms like SSL, TLS or HTTPS; is SSL now mandatory or opt-out by default in their hosting packages; and what, in a world where free SSL certificates are easily obtained, are the hosting companies charging for SSL?
In short – does the path of least resistance lead non-technical customers to a site protected by HTTPS?
Shared hosting
Web hosting is the place you put your website – if your website were a building then hosting would be the land it’s built on (and your domain would be a signpost telling people where to find it).
In this article I focus on what new customers see when they buy shared hosting, the simplest and cheapest kind of web hosting. Straightforward and popular, shared hosting packages are the kind of thing that somebody might buy for their their small business website.
I looked at SSL support in shared hosting packages offered by five of the top US hosting companies by market share, according to HostAdvice. (Amazon Web Services, RackSpace and SoftLayer are not included because they don’t offer products in the entry-level, shared hosting space.)
The results
The table below displays the following information:
- Host – the company selling the hosting
- Plan – the hosting product
- Offered – is SSL offered as part of the product?
- Opt-out – is SSL mandatory or selected by default?
- Named – are recognisable terms like SSL, TLS or HTTPS used?
- Free – Is the price of SSL included?
- Plan – The cost of 12 months hosting, billed annually after any introductory offers have expired
- SSL – The annual cost of an SSL certificate from this host
- Total – The total annual cost of both hosting and SSL
Host | Plan | SSL | Annual Cost | |||||
---|---|---|---|---|---|---|---|---|
Offered | Opt-out | Named | Free | Plan | SSL | Total | ||
GoDaddy | Economy | ✓ | ✘ | ✓ | ✘ | $95.88 | $74.99 | $170.87 |
Deluxe | ✓ | ✘ | ✓ | ✘ | $131.88 | $74.99 | $206.87 | |
Ultimate | ✓ | ✓ | ✓ | ✓ | $203.88 | $0 | $203.88 | |
1&1 | Basic | ✓ | ✓ | ✓ | ✓ | $95.88 | $0 | $95.88 |
Unlimited Plus | ✓ | ✓ | ✓ | ✓ | $119.88 | $0 | $119.88 | |
Unlimited Pro | ✓ | ✓ | ✓ | ✓ | $179.88 | $0 | $179.88 | |
Bluehost | Basic | ✓ | ✘ | ✘ | ✘ | $95.88 | $39.99 | $135.87 |
Plus | ✓ | ✘ | ✘ | ✘ | $131.88 | $39.99 | $171.87 | |
Prime | ✓ | ✘ | ✘ | ✘ | $179.88 | $39.99 | $219.87 | |
HostGator | Hatchling Plan | ✘ | – | – | – | $107.40 | – | – |
Baby Plan | ✓ | ✘ | ✓ | ✘ | $143.40 | $19.95 | 163.35 | |
Business Plan | ✓ | ✓ | ✓ | ✓ | $203.40 | $0 | $203.40 | |
DreamHost | Shared Hosting | ✓ | ✓ | ✓ | ✓ | $107.40 | $0 | $107.40 |
SSL is widely supported across the shared hosting packages I looked at, although the cost varies enormously and makes a significant difference to the total annual cost of hosting.
For example, 1&1 and GoDaddy both offer packages costing $95.88 without introductory offers. 1&1’s SSL is included in the price while GoDaddy’s domain validated SSL certificates – the same kind of validation you get with a free Let’s Encrypt SSL certificate – are an eye watering $75.
In some cases the design of the sign-up process or the language used seems likely to cause confusion.
When I first looked at Bluehost I noticed its selected-by-default “SiteLock Security – Find” option included a “Site Verification Certificate”, which I assumed was an SSL certificate. I later found a separate option for SSL and despite a good look at the SiteLock and Bluehost websites I still don’t know what a site “Site Verification Certificate” is.
Bluehost’s SSL option, Comodo PositiveSSL Bundle, is hidden when the default term of 36 months is selected. It only appears if you select 12 months of hosting, offered for an extra at $39.99.
Its disappearance for longer terms isn’t explained anywhere and it took Bluehost support about 15 minutes to tell me that it’s because SSL is not available for the longer terms:
Looks like it is only for 12 months. My suggestion would br to go for a PRO plan in which you get a free dedicated IP and SSL
So SSL isn’t available if I buy 36 months?
Yes
OK, thanks
This seems unlikely but at least one Bluehost representative thinks it’s true. Either way, the path of least resistance for a new customer isn’t exactly a path of low resistance.
Who’s ready?
Twelve of the thirteen shared hosting plans I reviewed offered SSL and six plans included it in the price of twelve months hosting: DreamHost’s Shared Hosting; 1&1’s Basic, Unlimited Plus and Unlimited Pro; GoDaddy’s Ultimate plan and HostGator’s Business Plan.
If you have details of SSL support for companies not listed here, feel free to add them to the comments below (no ads please – just address the questions in my chart).
LEARN MORE ABOUT HTTPS
Listen to Naked Security Podcast Episode 2 (HTTPS segment starts at 08’45”):
(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)
Intro music: http://www.purple-planet.com
Closing music: https://thespacelords1.bandcamp.com
Brooke
How was there no mention of what letsencrypt is offering?
Mark Stockley
I plan to look at deploying Let’s Encrypt into basic shared hosting in a future article but for a lot of people, likely most people, it’s not an option.
This article is for people whose only realistic option for hosting/SSL is whatever is bundled with entry level shared hosting. Those are the people most likely to be left behind by Chrome’s HTTPS deadline.
If you know what SSL is, how to ssh into your hosting, pull code from a git hub repo and set up a cron job, then you’re well equipped to deal with the deadline without my help, and this article is not for you.
William Warren
Smaller webhosts can compete very well against the big boys now with LE. Since I am speaking as the owner of a small web host…i will provide a private link to the author.
Mark Stockley
Leave a comment with the link and instructions not to publish.
Brooks
I’m wondering if the Bluehost “Site Verification Certificate” not a certificate in terms of what we’re thinking about and more along the lines of one of the badges you can display on your website that it’s “secure”?
Mark Stockley
Yes, that was my best guess too.
KGHN
I switched hosting to obtain a fixed IP, which I was told was required for SSL. My new host gave me a CSR that I used at ZeroSSL.com to get a Let’s Encrypt free DV certificate. The hosting techs applied it to the site. It works for my bare URL, but not for the www. version. Frustrating.
Mark Stockley
A fixed IP isn’t required for SSL if the server supports Server Name Indication (SNI), so a fixed IP is a requirement enforced by the host rather than SSL.
Also, it should be possible to create a Let’s Encrypt certificate with both domains in it. Ask your host if they can provide a CSR with both.
William Warren
actually if your host is configured for SNI then you do not require a dedicated IP for an ssl cert..:)
brianr2015
I am hosting 16 WordPress sites on an account with U-Net in the UK. so far they have not been able to offer me anything, there was a letsencrypt plugin in development for WP, but it seems to have died. I would be happy to “help” with such a project, but do not have the smarts on my own to develop it.
ttracetalk
For your situation, I would recommend a set up similar to what I currently use for my own WordPress site. I use Linode’s London server centre for the hosting as I like the flexibility. You can commission a 1Gb RAM VPS server for $5/month and easily resize it without any fuss if your needs change. There are no fixed contract lengths, charges are per hour and you can pay any amount, any time in advance of your monthly invoicing. It’s possible to install a preconfigured WordPress stack and they have an excellent series of detailed tutorials that explain step by step how to do pretty much anything you are ever likely to want to do with a server.
As I prefer to have a GUI control panel, I use the open source CentOS Web Panel. It’s pretty easy to install via SSH, but the CentOS Web Panel team offer a very cheap installation service if you don’t feel confident doing it yourself. Once your have the control panel installed and have your domain(s) pointing to the Linode’s IP you can log in and set up user accounts for each website you have and then use the one click Auto SSL feature to add a LetsEncrypt certificate to each domain. The only real problem I had was getting the default ‘B’ rating on Qualys SSL checker. I had to change the cipher definitions in the server config files to get ‘A’ rated.
Of course a set up like mine is outside the technical ability range of most of the people this article is supposed to be aimed at, but, after trying all sorts of other hosting arrangements from cheap shared hosting to dedicated servers, I’ve found the combination of Linode + CentOS Web Panel + LetsEncrypt to be the cheapest and simplest way I’ve found for hosting my ecommerce WordPress site.
Tom Connelly
Hi,
Is the SSL option that you use able to be used on a domain hosted within a shared hosting account? …or do you have to “own the hosting”?
If so, is there an FAQ anywhere?
Bruce Fryer
Tmdhosting has letsencrypt for free accessed in cPanel. Support will set it up for free, just submit a ticket.
Be forewarned, if you link to external non-ssl images, you will get browser warnings.
Tim Boddington
I use 1&1 and setting up SSL could not be easier, a minute or two, no probs.
Anonymous
How many domains? Seems like it one is free.
Richard Waterworth
Bluehost does offer free SSL certificates to websites that are running a WordPress installation, but that doesn’t mean that it is the ideal situation.
Joshua Gambrill
What about something like cloudflare? it doesn’t truly give you TLS all the way to the website but it would get rid of the issue for free on whatever you were on at the moment
Mark Stockley
It would be a sensible solution, yes, but I suspect that most small businesses will be better off holding their nose and buying whatever SSL their host is offering, even at $75, since it represents the smallest change and lowest possible risk. It seems a lot to pay for something that you can get for free but it doesn’t take long to waste more than $75 of your time if you get stumped trying to figure out what the heck a DNS nameserver record is and how to change it. Indeed a lot of the companies I run into have no idea where their DNS records are kept. Finding the credentials to get access often takes hours, never mind actually changing anything.
nickthreadgroupcom
Starting on March 1, 2018, you will no longer be able to purchase 3-year SSL certificates. This change is being enforced by the Certificate Authority/Browser Forum (CAB Forum), which is more or less a regulatory body made up of CAs and Browser.
barry441
I just signed up with archhosting.com for a new site because of the very fact that they offer a free SSL certificate and the current host, powweb.com, for my first site wants $$ for one. Simple as that. They are both non-critical personal sites, so money talks.
harrywales
The hosting company I have been running here in the UK since 1995, CMS Wales, has been providing free SSL certificates to ALL our hosted clients since March 2017. We do not host any ‘http” only websites, all hosted sites are HTTPS/SSL enabled from day 1.
Wes
I think it’s interesting that LetsEncrypt is discussed so much in this article. I would take a guess that its days are numbered. As a security analyst, I can tell you there are plenty of security applications that red/yellow flag certificates from that service because they’re frequently used in malicious websites. So yes, your browser isn’t going to throw a warning but if you want other businesses to visit your website without their security team looking into it, or it possibility being automatically being blocked, then I really suggest you stay away from those certs or any service offering them for free (not exactly the same as being included with your hosting package). The bottom line being If you’re not paying for the cert in some form, you’ll probably going to raise a flag in some security monitoring application. If that’s acceptable to you, then by all means, proceed.
Peter Davey
Can anyone suggest a reason why a site that only provides information and doesn’t interact with users (e.g. logins, messaging) would need to encrypt its traffic?
Valuation that the site is what it claims to be might be one, but consider – in a world where most sites use https, how many users would notice if they were redirected to a rogue https site?
Peter Davey
Validation, of course. I had autocorrupt turned on.
Mark Stockley
Validation, yes. It also prevents anyone from intercepting and tampering with the content between leaving you and arriving with the user (e.g. ad injection or ad swapping).
It’s also better for users if all sites are encrypted because it makes it harder to track them and removes points of interest that occur when some things are encrypted and some are not.
Colin Cogle
Besides the knowledge that your traffic won’t be snooped or modified in transit (either by an attacker, three-letter agency, or an ancient corporate proxy appliance), a secure context is a requirement for almost every new technology. Secure-only features include speed-boosting inventions like HTTP/2, Brotli compression, and SDCH compression; but also other features like Service Workers, geolocation, Web Payments API, WebUSB, Web MIDI, Web Bluetooth, etc.
Patricia Lee
Coolcom.com | Domain.ca is one of Canada’s largest Hosting and CIRA Certified Domain registries since 1999. Given the urgency of the situation and gravity of the potential costs.. It would be helpful to note that SSL is included with all accounts (single domain to wild card) as is Privacy with all domain Registrations.
William Warren
Mark, did you see the comment i posted for you?
Mark Stockley
I did, I replied here: https://nakedsecurity.sophos.com/2018/03/12/with-4-months-to-switch-on-https-are-web-hosting-companies-ready/#comment-5030119
Lorian Bartle
Thank you for charting out the math. Its amazing how this one change (forcing a switch to SSL) completely reverses the value of some these hosting services.
Lorian Bartle