Charlottezweb

Charlottezweb Hosting => Support => FAQs => Topic started by: Jason on April 01, 2017, 03:02:36 PM

Title: SSL Explained -- cPanel now offers free certificates, some companies require it
Post by: Jason on April 01, 2017, 03:02:36 PM
Quick Summary -- Charlottezweb is now offering free (cPanel-provided) Comodo SSL certificates for all accounts.  This is in place and active as of last week.  Customers with purchased SSL certificates were purposely skipped so as not to impact their certs. Please note - the free certs are suitable for personal/hobby sites but I still highly recommend purchased certs for customers/sites that conduct eCommerce as they have definite advantages over the free ones.  See below for details.

The longer story with background...

I've been receiving questions from customers lately around SSL and securing web sites due to the recent pushes by Google and some web browsers to promote secure connections.  

What does this mean?
At a very high level, there are basically two ways to access a website.  You can access it via http://  or https://  (note the "s" in the second example).  The first option uses non-encrypted connectivity which means the data transmitted between your computer and the destination server are not protected.  This is perfectly acceptable for viewing pages where you're not exchanging any personal information such as your name, address, payment information, logins/passwords, etc.  However, if you are on a page where you are exchanging any of the information just mentioned, it should be protected by SSL (Secure Sockets Layer) encryption.  This is where the https://  (notice the "S") comes into play. This means that all data transmitted between your computer and the destination server are encrypted to prevent an unauthorized party from intercepting and viewing it during transmission.

This is what drives the padlock icon you may see in your browser when you visit certain sites like Charlottezweb's Client Area, your bank, etc. (See below for example)

(https://www.charlottezweb.com/images/ssl-example.gif)

I've noticed that my site now shows a broken padlock -- What do I do if I want to fix this on my site?
As mentioned above, some browsers are starting to warn users when you try to login or when you visit them with a "broken" padlock icon next to the URL.  This is an effort by the likes of Google (Chrome), Mozilla (Firefox), etc to promote and attempt to force sites to start requiring SSL/encryption.

In order to get that secure message to go away, you have to use SSL (https) to access all pages and content on your site.

Historically to accomplish this you needed to purchase a dedicated IP address and an SSL certificate to install.  You then had to configure your site code to use all https.  Charlottezweb charges $20/year for a dedicated IP address and we offer various SSL certificates that you can view here (https://www.charlottezweb.com/security.php).  

CPanel recently started offering FREE certificates (which I installed for all customers without a purchased cert) last week.   This is great for personal/hobby sites but I wouldn't recommend it for anything eCommerce.  This means that as a customer, you can now access your site via https://www.yoursite.com and you can view that you have an SSL cert installed.  

A few considerations:
1. You may need to adjust your site's coding to use https instead of http so the padlock works.  All elements on your site will need to load via https to prevent the broken padlock.
2. The FREE certificates cPanel offers are good for 3 months and should renew automatically.
3. I've had a few customers trying to use their own domain names for SSL email (vs. using the server hostname) and it hasn't always worked.  If you're using a server hostname for email, I'd probably stick with that for now until more is learned on this.
4.  To repeat what I said at the top -- if your website is not a personal/hobby site, I would highly recommend sticking with a commercial certificate for SSL.  It will likely have a higher browser trust rate, it will show your business name/information (vs. showing your site owned by cPanel), and has additional benefits.  Feel free to contact me for details.

---

A few articles on this topic:

https://motherboard.vice.com/en_us/article/google-will-soon-shame-all-websites-that-are-unencrypted-chrome-https

https://www.wordfence.com/blog/2017/01/chrome-56-ssl-https-wordpress/

Regards,
Jason