Comments on: Switching Your Site to HTTPS on a Shoestring Budget

By: Mic Sumner

Mic Sumner — Tue, 19 Sep 2017 19:26:48 +0000

In reply to Ken.

@Ken Let’s Encrypt does take a bit of knowledge to get it running. But if you’ll not be going into any sensitive data through the use of the CloudFlare CDN, then you may opt for the CloudFlare route.

But if you’ve got Let’s Encrypt through your hosting provider — by all means opt for that! I’d love to have a PCI-compliant TLS certificate any time of the day!

Kind regards,

Mic Sumner

By: Mic Sumner

Mic Sumner — Tue, 19 Sep 2017 19:23:53 +0000

In reply to Khek.

Thank you for the reply Khek.

Good to know that Let’s Encrypt is now the more obvious choice!

Hope any CloudFlare staff might respond to this?

Kind regards,

Mic Sumner

By: veganaiZe

veganaiZe — Wed, 13 Sep 2017 21:46:10 +0000

Yes, letsencrypt.org should definitely be mentioned for “shoestring budget”. And “SSL” is an old acronym that shouldn’t be used because it has long since been replace by TLS which does lots of marvelous things like allowing you to apply multiple certs over a single IP! C’mon people –Get with the times!

By: Tim

Tim — Wed, 13 Sep 2017 20:19:01 +0000

One thing to note, if you are doing any kind of financial transactions you will want your site to be PCI-compliant — and so will your payment gateway. If you go the CloudFlare route, you’ll have to upgrade to their $200/month plan. But, that’s fair. You’re hypothetically making money.

By: Khek

Khek — Tue, 12 Sep 2017 17:45:57 +0000

As mentioned by Ed Zahurak, there are very serious security risks involved in relying on a CDN for security. Remember Cloudbleed?

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence. https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

In other words, nobody will ever know how bad it really was, and some information ("full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything") might still be publicly queryable. Let's Encrypt provides end-to-end encryption whereas Cloudflare doesn't. So for my money (they're both free!) it's a more secure solution regardless of whether or not you're sending data to your server. Hope this helps some folks decide!

By: Drew

Drew — Tue, 12 Sep 2017 07:48:15 +0000

In reply to Rob. I disagree, IE and Edge work absolutely fine with out any warnings for sites I've set up with Cloudflare free SSL

By: Tom

Tom — Fri, 08 Sep 2017 14:47:05 +0000

In reply to Martin.

A lot of hosting providers let you install it just by clicking on one button. Here is an up-to-date list of these companies https://community.letsencrypt.org/t/web-hosting-who-support-lets-encrypt/6920

By: Justin

Justin — Thu, 07 Sep 2017 13:49:18 +0000

In reply to Ken. I didn't get that implication, just that it was the 'easier' route rather than the only free route. Let's Encrypt is wonderful, but some technical knowledge is required to get it running.

By: Mic Sumner

Mic Sumner — Wed, 06 Sep 2017 11:48:27 +0000

Hi Chris Schmitt, I agree, some hosting providers don't have a free SSL like Let's Encrypt, so we'll have to opt for a CDN's reverse proxy to account for this if the client wishes to stay on their hosting for their reasons. But I'm pretty sure hosting providers will provide Let's Encrypt SSL since come-on it's everywhere and it's great! One Question: Why do we choose 'Full', as this does not seem to work! Instead, we will have to set this to Flexible SSL please. Please review this here at CloudFlare's SSL options. Love Cloudflare since the website would then be able to make use of HTTP/2 protocol among other CloudFlare server enhancements — which a great thing if your current hosting provider doesn't have these enhancements! Kind regards, Mic Sumner

By: Jonathon

Jonathon — Wed, 06 Sep 2017 06:52:15 +0000

In reply to Martin. There are definitely hosting providers that make it a 1-click process by utilizing Let's Encrypt. I know Siteground generates certificates automatically whenever you add a new domain to your hosting account, you don't even have to do it yourself. I'm guessing other hosting providers have started doing that as well.

By: Kyle Foster

Kyle Foster — Wed, 06 Sep 2017 04:09:21 +0000

I’d highly recommend you check out https://fly.io instead of Cloudflare. Setup is about 20 times easier, and they’re good folks.

By: Zak

Zak — Tue, 05 Sep 2017 20:22:28 +0000

I want to echo Netlify! It's perfect (and free!) for static sites. The deploy options are super easy - you can upload via a command lien tool, hook it to a git repository (and run build scripts if necessary), or just drag and drop a static folder into their web interface. And, of course, you can enable HTTPS on custom domain names! They can manage DNS for you or you can point your own DNS records to their servers, and both options allow HTTPS.

By: Chris Coyier

Chris Coyier — Tue, 05 Sep 2017 15:58:13 +0000

I was pleasantly surprised at how easy it was to install Let’s Encrypt in Plesk on a Media Temple DV: https://css-tricks.com/media-temple/

By: Dave

Dave — Tue, 05 Sep 2017 14:18:16 +0000

I’ve been looking to make this switch for a while, but have a question that I can’t find the answer to, maybe you guys can help me find it:

Our site is hosted remotely but with one important part of our site is using iframes to display content that is on a server here in our office. It’s my understanding that if I were to enable the https on the main site the iframes would no longer work, since the server here does not have SSL set up.

Is SSL domain based or server based?

Do I need to get SSL setup on both servers for all to function properly?

Thanks

By: Rob

Rob — Tue, 05 Sep 2017 11:44:57 +0000

Cloudflare free SSL will show warnings in all versions of internet explorer.
If you want to support all browsers then you need to use their paid plan or buy a dedicated cert from them.