Comments on: Switching Your Site to HTTPS on a Shoestring Budget https://css-tricks.com/switching-site-https-shoestring-budget/ Tips, Tricks, and Techniques on using Cascading Style Sheets. Tue, 19 Sep 2017 19:26:48 +0000 hourly 1 https://wordpress.org/?v=6.2.2 By: Mic Sumner https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611919 Tue, 19 Sep 2017 19:26:48 +0000 http://css-tricks.com/?p=259594#comment-1611919 In reply to Ken.

@Ken Let’s Encrypt does take a bit of knowledge to get it running. But if you’ll not be going into any sensitive data through the use of the CloudFlare CDN, then you may opt for the CloudFlare route.

But if you’ve got Let’s Encrypt through your hosting provider — by all means opt for that! I’d love to have a PCI-compliant TLS certificate any time of the day!

Kind regards,

Mic Sumner

]]>
By: Mic Sumner https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611918 Tue, 19 Sep 2017 19:23:53 +0000 http://css-tricks.com/?p=259594#comment-1611918 In reply to Khek.

Thank you for the reply Khek.

Good to know that Let’s Encrypt is now the more obvious choice!

Hope any CloudFlare staff might respond to this?

Kind regards,

Mic Sumner

]]>
By: veganaiZe https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611770 Wed, 13 Sep 2017 21:46:10 +0000 http://css-tricks.com/?p=259594#comment-1611770 Yes, letsencrypt.org should definitely be mentioned for “shoestring budget”. And “SSL” is an old acronym that shouldn’t be used because it has long since been replace by TLS which does lots of marvelous things like allowing you to apply multiple certs over a single IP! C’mon people –Get with the times!

]]>
By: Tim https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611769 Wed, 13 Sep 2017 20:19:01 +0000 http://css-tricks.com/?p=259594#comment-1611769 One thing to note, if you are doing any kind of financial transactions you will want your site to be PCI-compliant — and so will your payment gateway. If you go the CloudFlare route, you’ll have to upgrade to their $200/month plan. But, that’s fair. You’re hypothetically making money.

]]>
By: Khek https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611734 Tue, 12 Sep 2017 17:45:57 +0000 http://css-tricks.com/?p=259594#comment-1611734 As mentioned by Ed Zahurak, there are very serious security risks involved in relying on a CDN for security.

Remember Cloudbleed?

The bug was serious because the leaked memory could contain private information and because it had been cached by search engines. We have also not discovered any evidence of malicious exploits of the bug or other reports of its existence.
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

In other words, nobody will ever know how bad it really was, and some information (“full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything”) might still be publicly queryable.

Let’s Encrypt provides end-to-end encryption whereas Cloudflare doesn’t. So for my money (they’re both free!) it’s a more secure solution regardless of whether or not you’re sending data to your server. Hope this helps some folks decide!

]]>
By: Drew https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611717 Tue, 12 Sep 2017 07:48:15 +0000 http://css-tricks.com/?p=259594#comment-1611717 In reply to Rob.

I disagree, IE and Edge work absolutely fine with out any warnings for sites I’ve set up with Cloudflare free SSL

]]>
By: Tom https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611676 Fri, 08 Sep 2017 14:47:05 +0000 http://css-tricks.com/?p=259594#comment-1611676 In reply to Martin.

A lot of hosting providers let you install it just by clicking on one button. Here is an up-to-date list of these companies https://community.letsencrypt.org/t/web-hosting-who-support-lets-encrypt/6920

]]>
By: Justin https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611655 Thu, 07 Sep 2017 13:49:18 +0000 http://css-tricks.com/?p=259594#comment-1611655 In reply to Ken.

I didn’t get that implication, just that it was the ‘easier’ route rather than the only free route. Let’s Encrypt is wonderful, but some technical knowledge is required to get it running.

]]>
By: Mic Sumner https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611633 Wed, 06 Sep 2017 11:48:27 +0000 http://css-tricks.com/?p=259594#comment-1611633 Hi Chris Schmitt,

I agree, some hosting providers don’t have a free SSL like Let’s Encrypt, so we’ll have to opt for a CDN’s reverse proxy to account for this if the client wishes to stay on their hosting for their reasons.

But I’m pretty sure hosting providers will provide Let’s Encrypt SSL since come-on it’s everywhere and it’s great!

One Question:
Why do we choose ‘Full’, as this does not seem to work! Instead, we will have to set this to Flexible SSL please. Please review this here at CloudFlare’s SSL options.

Love Cloudflare since the website would then be able to make use of HTTP/2 protocol among other CloudFlare server enhancements — which a great thing if your current hosting provider doesn’t have these enhancements!

Kind regards,

Mic Sumner

]]>
By: Jonathon https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611626 Wed, 06 Sep 2017 06:52:15 +0000 http://css-tricks.com/?p=259594#comment-1611626 In reply to Martin.

There are definitely hosting providers that make it a 1-click process by utilizing Let’s Encrypt. I know Siteground generates certificates automatically whenever you add a new domain to your hosting account, you don’t even have to do it yourself. I’m guessing other hosting providers have started doing that as well.

]]>
By: Kyle Foster https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611622 Wed, 06 Sep 2017 04:09:21 +0000 http://css-tricks.com/?p=259594#comment-1611622 I’d highly recommend you check out https://fly.io instead of Cloudflare. Setup is about 20 times easier, and they’re good folks.

]]>
By: Zak https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611619 Tue, 05 Sep 2017 20:22:28 +0000 http://css-tricks.com/?p=259594#comment-1611619 I want to echo Netlify! It’s perfect (and free!) for static sites. The deploy options are super easy – you can upload via a command lien tool, hook it to a git repository (and run build scripts if necessary), or just drag and drop a static folder into their web interface. And, of course, you can enable HTTPS on custom domain names! They can manage DNS for you or you can point your own DNS records to their servers, and both options allow HTTPS.

]]>
By: Chris Coyier https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611617 Tue, 05 Sep 2017 15:58:13 +0000 http://css-tricks.com/?p=259594#comment-1611617 I was pleasantly surprised at how easy it was to install Let’s Encrypt in Plesk on a Media Temple DV: https://css-tricks.com/media-temple/

]]>
By: Dave https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611614 Tue, 05 Sep 2017 14:18:16 +0000 http://css-tricks.com/?p=259594#comment-1611614 I’ve been looking to make this switch for a while, but have a question that I can’t find the answer to, maybe you guys can help me find it:

Our site is hosted remotely but with one important part of our site is using iframes to display content that is on a server here in our office. It’s my understanding that if I were to enable the https on the main site the iframes would no longer work, since the server here does not have SSL set up.

Is SSL domain based or server based?

Do I need to get SSL setup on both servers for all to function properly?

Thanks

]]>
By: Rob https://css-tricks.com/switching-site-https-shoestring-budget/#comment-1611610 Tue, 05 Sep 2017 11:44:57 +0000 http://css-tricks.com/?p=259594#comment-1611610 Cloudflare free SSL will show warnings in all versions of internet explorer.
If you want to support all browsers then you need to use their paid plan or buy a dedicated cert from them.

]]>