Free AutoSSL at Massive Impressions

AutoSSL: Free SSL Certificates?

Here’s a surprise from the servers that turned out to be a delight for a change: AutoSSL. Now your Massive Impressions Managed Hosting Account comes with free, auto-renewed, basic , doman validated SSL certificates. What does this mean? It means your site gets the security and SEO benefits of SSL without having to go through an initial business validation process. It means you don’t have to remember to renew the certificate every year. Basic SSL isn’t enough to meet all SSL requirements, but it’s better than having no SSL.

Since the summer of 2014 Google began increasing the importance of having a site served via HTTPS (Secure Web Page Transport). HTTPS uses an encryption protocol called SSL (Secure Sockets Layer). When web pages are served and browsed using SSL encryption, the pages are served in HTTPS protocol, meaning they’re served and read using a common, pre-agreed upon protocol or set of rules.

What is SSL?

SSL Certificates enable e-commerce by encrypting sessions between a visitor’s browser and the web server. They serve the content using the encrypted protocol called HTTPS. Practically, they are blocks of code that a business has to purchase from a certificate issuing authority. These blocks of code “prove” the identity of the server while at the same time providing an encryption key to the browsers surfing to that server’s pages so that the browsers can speak in code. The key allows the browser and server to communicate in a code that’s very difficult for anyone eavesdropping to understand or duplicate.

Sites served via non-encrypted HTTP did not protect the information passing back and forth between a visitors’ browser and web servers. Web pages addresses that begin with http:// do not protect the information. It’s readily snoopable, not encrypted. For a long time it didn’t matter at all, for most sites, that their sessions were non-encrypted and used HTTP.

Only sites doing e-commerce, passing order information and credit card details back and forth, had requirements to use HTTPS.  Sites that managed protected information are also secured administrators from outside snooping using HTTPS. In order to implement an HTTPS enabled server and website, administrators have traditionally purchase SSL certificates, renewable each year for typically several hundreds of dollars apiece.

Now SSL Matters Everywhere

In 2014 Google started using HTTPS as a ranking signal.  Sites that had SSL certificates were given better ranks on search engine results pages. HTTPS content ranked better against equivalent content served without SSL certificates. At first, back in 2014, the weight of this signal was low, but empirical observation of who is ranking reveals now over 50% of the sites on the first page of Google, for popular search terms, have SSL. This is pretty dramatic when you consider that only 1.4% of the top 1 million websites were using SSL in 2014 at the time when Google first announced that SSL would be a signal.

So the bottom line is that SSL is really good for a website. It protects customer data in the manner customers expect and it helps sites rank on Google.

SSL Security Is More Important Than Ever

We’ve heard some pretty embarrassing things in the news lately. Data breaches are embarrassing because, deep down, everyone knows someone didn’t do their job correctly. Data breaches are most often caused by bad handling of data. The recent Equifax data breach earlier this year revealed Equifax’s Chief Security Officer to be under-skilled to maintain data security. This was extra-embarassing for the central corporation whose brand promise was to keep data safe. Equifax, unfortunately wasn’t alone or the most important miscalculation around the importance of keeping critical data safe.

Bad Security Decisions Cost Can Cost a Brand Everything

It’s foolish to think that John Podesta’s emails were safe, being that Google was mail service vendor. How many customer service people in how many countries had access to open his mailbox and copy everything within seconds? Do you hear about that in the news? No, you wont. Because big companies know that keeping the trust of their customers is how they stay in business. A business can’t do well if it’s audience loses trust in it, right? That’s a question businesses really need to ask themselves in 2017.

Google Gets Even More Serious About Slack Security

Chrome, the web browser made by Google, has recently begun displaying a warning icon for sites that aren’t served with SSL. Sites served via HTTP or incomplete HTTPS have a small gray exclamation point in a gray circle to the left of the web address. This can be confusing and even troubling to web visitors who don’t understand what it means.

  • A site served using HTTP non-encrypted protocol shows a warning icon to the left of the web address.insecure site warning in chrome

Luckily one of the things businesses can do to keep their customer’s data and corporate data safe is to employ STRONG ENCRYPTION. Google is going to tell your customers that your site is “not secure” otherwise.

This is the warning shown in Chrome with no SSL.

Using SSL certificates to prevent your data from getting snooped is simply due-diligence, but it’s also been quite expensive and complicated up until now. Now something new has emerged that lets companies leverage strong encryption at an order of magnitude lower cost.

The 3 Types of SSL Certificates

SSL Certificates come in three varieties: basic, Domain Validated SSL (DV SSL), Organization Level Verification SSL  (OV SSL) and Extended Validation SSL (EV SSL). This site, at the time this post was published, uses a type of EV SSL certificate that spans multiple domains and costs close to $400 each year. It shows both the parent company name (if any) and a DBA name.

  • Massive Impressions is a brand owned by Pelish Marketing, Inc. so both names are shown in a green section in the browser address bar before the web address. This is how an EV SSL certificate enabled site’s address appears in the browser’s address bar:
    ev-ssl-example-browser-bar
  • An example of a site that uses an OV SSL certificate (because they are an organization) is GoldCoastTigerBayClub.com.
    ov ssl example goldcoasttigerbayclub
  • An example of a site just configured to use the basic DV SSL certificates produced by the AutoSSL feature is Dollars4TicScholars.org.dv ssl example dollars4ticscholars

Not only has there been a lot of recent attention to data security, but there’s also been a lot of drama between Google and Symantec over this last summer. Google claimed Symantec issued certificates but didn’t follow proper validation requirements. This came with threats to invalidate Symantec certificates within Chrome. This would be very costly for current holders of Symantec certificates, if Google follows through on its threats.

Is Free SSL for Real?

The silver lining to these recent rocky times in the SSL world is a new, cool phenomenon that translates into improved value for website owners for the time being. A few months ago we were researching hosting company offerings in order to refine which services we’d offer and at what price point we could afford to offer them. Something that was new, that hosting companies hadn’t offered before, was free SSL certificates. Some of these offers involved SSL certificates that were only free for a small window of time, 30 to 90 days, and then had to be replaced with paid certificates. Others were directing hosting clients to 3rd party sites that were handing out basic SSL certificates like LetsEncrypt. The basic premise was that website administrators could grab free certificates and install them on client sites without having to pay licensing fees or go through lengthy validation processes.

The Massive Impressions servers don’t use Microsoft operating systems – they’re not Windows servers. They’re Centos servers. This means they are the same kind of servers used by lead companies to keep their websites running 24/7, as robust and safe as possible. The server performing it’s role involves three levels: the physical hardware, the connection to the Internet and the software running on the server. The operating system has licensed layers of administrative software, and one of them includes an ability to implement a very new feature, AutoSSL. We now have AutoSSL implemented on the Massive Impressions servers, and it gives us the ability to generate and deploy basic SSL certificates for our hosting clients, for free. 

AutoSSL is a service that runs on the server that automatically installs and retrieves new, free, basic SSL certificates whenever the old certificates expire. This lets us at Massive Impressions provision new accounts with basic SSL at no additional charge, by default as an OEM service that comes with every account.

Will free certificates created with AutoSSL meet requirements for e-commerce?

This is an important question to answer, and unfortunately the situation is so new and the environment changing so rapidly, than any answer provided accurately today might be inaccurate tomorrow.  Applications that require SSL to function (for example WooCommerce and some of its Extensions) will be able to be used where before absence of SSL prevented them from working.  This lets us create development instances that use SSL without added cost and it allows sites that technically depend on SSL but aren’t doing credit card transactions to simplify their costs and use basic SSL. Some payment gateways may or may not allow basic SSL certificates to be used and may require OV or EV certificates still.

We will be testing the differences between employing basic vs. paid SSL certificates in the coming months. These certificates may not be offered for free forever as rules change and the companies involved become more or less motivated to continue. There are already requirements above SSL being dictated by payment gateways, so they’ll always have the final say in what we need to do to keep the money flowing.  We’ll let you know what we discover. Hopefully it will be more delightful surprises.