When things go wrong: SSL certificates

website domain name with SSL

Google had the best of intentions when it suggested (mandated) that all websites have a secure sockets layer (SSL) encryption between the web server (your host) and browsers. This has been a long time requirement for any web page (or better, website) processing confidential information, like credit card or PayPal transactions (called online payment processing). Hosting companies like Bluehost and GoDaddy charged about $12/month for these certificates and also made web sites upgrade to dedicated servers ‘for security reasons’. This was a very lucrative profit center for them.

Google gave us all two years to add SSL certificates to our sites before they began down-ranking. Concurrently, the Linux Foundation created Let’s Encrypt, a free, automated and open source certificate authority. While initial acceptance was suspicious, to put it politely, it has gained wide acceptance and is now the SSL of choice. There is absolutely no difference between a Let’s Encrypt SSL certificate and any other. They all work the same (except for the government ones).

The problem quickly became the ‘free’ part. Large web hosts suddenly saw an income stream, which they had thought was going to skyrocket with Google’s SSL mandate, evaporate. Their other problem was (and is) that they are responsible for transitioning their client’s websites from http to https protocol. This is a labor intensive pain-in-the-you-know-what.

Good news/ Bad news.

The good news is that for new websites created after the Google mandate SSL encryption the https protocol is there from the start. You just need to make sure that your web host is keeping the certificate up to date, which some have been lazy about.

The bad news is for websites that transition from http to https. Many fall into the ‘mixed content‘ trap that confuses browsers and causes them to issue warnings to visitors or just flat out refuse to connect to that site. The confusion comes when deep in the operating programs http://www.yourwebsite.com has been hard coded. There should be an automatic redirect to https://www.yourwebsite.com but this doesn’t always happen. Host companies should run a process that scans and converts all instances of mixed content to the new protocol. This should be part of the SSL/https upgrade.

Yes, well, potato chips should be fat-free but they’re not.

If you find that your site is generating warning messages you can check for mixed content using a Chrome app called HTTPS Mixed Content Locator . There is also a good WordPress plugin called  SSL Insecure Content Fixer you can run, instructions are here.

My recommendation, however, is to start by calling your web host and speak with technical support. This is their problem and your subscription fees go towards them fixing it. With a simple install, I would question any effort they make to charge extra for this maintenance.

Leave a Reply

Your email address will not be published. Required fields are marked *