Deploying SSL on a web site can seem daunting, but it does not have to be technically challenging, or expensive; despite obstacles. In fact an SSL enabled website can be setup in under thirty minutes, for close to zero dollars if the user already owns the domain.
There are really only three things required to deploy SSL to a website:
- Valid Domain Name
- Valid SSL Certificate
- Web Server
Valid Domain Name
This is the easiest of the three things needed for SSL, and the author assumes that the user already has a domain name.
Valid SSL Certificate
Surprisingly, this part is not actually hard at all. There are many different vendors that offer SSL certificates. None of them are really any better than each other from a technical perspective. They're more or less just organizations that say their users are who they say they are. The actual encryption that occurs happens entirely on the end user's own hardware.
Some of the certificate vendors offer their basic services gratis. One such vendor is Start SSL
In most cases the end user does not need to do anything other than validate that they own the domain they're trying to acquire a certificate for. The actual certificate generation can be typically done through the certificate vendor. The end user's needs only to save their key to a safe place, and install their certificate.
Calomel has an excellent description of SSL certificates, what they are for, and how to make signing requests.
Web Server
This one is easy at face value. If a web page is available over the public internet, it is already being hosted by a web server. Many of the convenient (easy) hosts out there, like Blogger, or WordPress have solutions but However those might not be helpful, for reasons already listed. We can broadly group web servers into three categories:
- Convenient "Platforms" - Blogger, WordPress, Tumblr...
- "Shared" Hosts - Think cPanel access, like BlueHost, Gator...
- DIY, Or "Cloud" Services
Convenient Platforms
Services like WordPress, Tumblr, Blogger, etc are all very easy to start leveraging; which is one of the reasons these services are so popular. These services also typically offer "community" features that can really help get a site, or blog discovered.
However this convenience comes at a price. Sometimes the price is dollar value, but more often than not the price is (lack of) flexibility, loss of experience, and lock in.
Do not forget, these services generally exist to make money, and/or traffic for their overlords. Chances are their users are part of the platform's product, and there's nothing wrong with that for many users.
However serious users should run.
Wget your site, and do not look back.
Shared Hosts
This was written in 2015. Affordable cloud services from big, and little vendors have been available for years. Nevertheless shared hosting is still relatively popular, and some FLOSS blogging platforms, like WordPress, can be "self hosted" on shared hosts.
SSL with shared hosts varies from service to service, and at the very least will probably add a few dollars to the user's monthly fee for setup, and/or a dedicated IP address.
Simple searches of popular shared hosts seem to turn up fees of about four dollars a month, plus a hosting package.
DIY, or Cloud Services
Do it yourself servers come in many shapes, and sizes. I have a static IP at home, and I host a web server from home. Since I was going to have internet at home anyway, and since I have a dedicated IP address this costs me nothing. DIY servers can also "self host" FLOSS blogging platforms, like WordPress.
There are many different web serving programs out there. Popular FLOSS programs include:
Most GNU/Linux distributions have easily installable packages for these, and other HTTP servers. Apple's popular OS X ships with Apache's server. Microsoft users can also run Apache, and nginx. Microsoft also ships its own proprietary web server called IIS.
However most people probably do not want to (and really should not) host their own websites from their homes. One simple reason why is that it's very easy to DOS, just by watching Netflix.
Cloud services like Amazon, Google, and Azure will let end users "rent" their own server. Shared hosts typically offer this service too, but the difference is that typically "cloud" servers will be virtual, where as shared hosts will set aside physical servers. In short, virtual servers are what make "cloud" computing so affordable.
Another however though. Maintaining a server, virtual, or otherwise is empowering, but also a big responsibility, and should not be taken lightly. This is especially true when hosting anything "dynamic" on the server side. WordPress for example, using PHP, and MySQL would be considered dynamic; additionally a database server needs to be managed too!
Cloud Services II
So far it seems like there are a lot of barriers to setting up, and maintaining an encrypted site. Troy's Assessment seems very accurate.
However I did mention an SSL enabled site could be done at close to zero cost, and that was not just a hook.
There are many pitfalls to administering web servers, which helped make services like WordPress flourish. However while WordPress was flourishing the larger scale web companies were also flourishing, building data centres all over the world, and even installing "edge" locations with various ISPs.
We already talked about renting virtual servers from these cloud providers, but they'll also let you leverage their redundant scaling infrastructure in other ways.
Amazon in particular offers a storage system called "S3", a DNS system called "Route 53", and a CDN system called "Cloud Front". These three systems can be setup through a simple web based point, and click interface. Additionally most of Amazon's services are gratis for an initial period, or below certain volumes.
Presumably other cloud players, like Google, Microsoft, and Linode offer similar packages.
Here are some detailed instructions for configuring Amazon's systems. Fisher-Fleig's instructions do depend on the AWS command line, but, there's a good possibility this could be avoided.
One important note about Amazon's S3 service is that it is static.
Conclusion
There definitely seem to be a number of obstacles to setting up SSL, at least at first. However, hosting a static web site over SSL is inexpensive, and easy to setup with at least one cloud service vendor.
Some people might take a lot of issue with the static limitation, but I see it as an advantage, and I would like to explore that advantage in an upcoming post.