The world of SSL certs has drastically changed over the past couple of years. Two of these things that have changed are 1) Google has started using SSL certs as a ranking factor and 2) an organization called Let’s Encrypt has starting giving out free, 90-day, domain-validated(DV) certificates.
I believe these two factors combined is going to drive web hosts to start offering free SSL certs as they start integrating the process of installing and renewing Let’s Encrypt DV ssl certs within their web hosting back ends.
Below I will be discussing some back ground information related to Google’s ranking of SSL certs and Let’s Encrypt’s arrival on the SSL scene. If you just want to see my recommendation for a good web host that offers free SSL certs just click here.
When Google says “Jump”, websites owners ask “How high?” on their way up.
Organic search engine traffic is the life-blood of many websites. Any changes to Google’s ranking algorithm tends to make website owners very nervous especially if they’re focusing on black hat and grey hat tactics(aka trying to game Google’s ranking algorithm.) This is very understandable because a drop in rankings can literally cause a website to lose a lot of visitors and as a result, a lot if not all of its revenue.
When Google announced that it was going to start using SSL certs as a ranking factor, you can be sure a lot of website owners immediately went out and bought SSL certs. You can also be sure that SSL cert providers were salivating at the opportunity to sell more SSL certs by scaring people into thinking their website rankings would plummet without one.
The reality of the situation is that, yes, if you had an e-commerce website that was taking orders with credit cards and you didn’t have an SSL cert, then you would lose rankings(you’re also asking to be hacked and are probably in violation of the Terms and Conditions of whatever merchant account you opened up in order to accept credit cards.)
However, if your website primarily published content, then you didn’t have much to worry about since you were not asking for or transferring sensitive information, with the exception of your login details if you were using a CMS like WordPress, Joomla or any other website that had a back end for you to log into.
Not having a SSL cert does expose your login credentials since they are being transferred “in the clear” and it also means that you are stuck using FTP(which also transfers your login credentials and other information in the clear) and are unable to use SFTP or FTPS. In light of this, it’s beneficial for all websites to have an SSL cert to help prevent their website from being hacked, defaced, deleted as a result of stolen/intercepted login credentials, but it probably wouldn’t result in your website being de-ranked, as it would if you were an e-commerce website.
Let’s Encrypt Arrives On The Scene
As I mentioned earlier, Let’s Encrypt is a new player in the SSL certificate provider market. A group of organizations and companies got together and formed what they called the Internet Security Research Group. Their goal was to make a more secure internet and Let’s Encrypt is the result of this partnership and as part of their effort they have been giving out free 90-day certs that you can renew indefinitely(unless it’s revoked for some reason, but at that point you would just get a new one.)
To be fair, at least one other cert provider offered a free 90-day SSL cert, but they didn’t make it nearly as easy to install and renew as Let’s Encrypt does with the use of their mostly automated tools.
As great as Let’s Encrypt 90-day certificates are, they could be hard, if not impossible to implement if you were on a shared hosting environment. This is because in the past you were required to have a dedicated IP address in order to use an SSL cert and in order to use a dedicated IP address you would have to have, at a minimum, a VPS(Virtual Private Server.) With the adoption of “server name indication” (SNI) you no longer need a dedicated IP address. You can read a good discussion about this here.
As you can imagine, the people who have websites running on VPSs or dedicated servers probably already had SSL certs or are making enough money with their websites to not even think twice about buying one. However, a lot of websites out there are running in a shared hosting environment. These website owners may not or can not afford to use or upgrade to a VPS plan that has a dedicated IP address just to implement a SSL cert.
Rise of the Hosting Providers Offering Let’s Encrypt SSL Certificates
As mentioned above, website owners who have their websites hosted on shared hosting plans have long been left out in the cold when it came to SSL certs. Web server technology has also changed over the years and has gotten better at being able to differentiate what traffic should go to which website when multiple websites share the same server and IP address.
What this means for website owners in a shared hosting environment is that it’s very probable that the Let’s Encrypt free 90-day certificates are going to become a standard part of the hosting package that all shared web hosts offer. This will be due to competitive forces within the market. Once one host offers it for free, other hosts are going to have to follow suit or risk losing market share to the companies that do offer them for free.
In fact, there are already web hosts that have already integrated Let’s Encrypt into their hosting service. One example, is Wealthy Affiliate. who is one of the early adopters if not THE early adopter of using Let’s Encrypt SSL certificates in their shared hosting environment.
Wealthy Affiliate announced in early January 2017 that they had fully integrated Let’s Encrypt SSL certificates and that all premium members who hosted their websites through SiteRubix could install SSL certificates on their website with the click of a button through a feature they call SitePlus+. This is quite an improvement over the days of having to go back and forth with your web host to get a CSR generated to be able to get and install your cert.
Last Thoughts and Looking To The Future
If you’re looking for a web hosting provider then I would highly recommend using Wealthy Affiliate’s SiteRubix web hosting for your free SSL Cert. Their support is phenomenal and the community is amazing and helpful.
As of this posting, a casual search turned up that HostGator would let you install a Let’s Encrypt search for $10 per domain per installation. Since you have to renew a Let’s Encrypt certificate every 90-days you’re essentially paying HostGator $40 a year to use a Let’s Encrypt certificate. Kind of defeats the purpose of using a free SSL cert, right?
It may be a few years before we see wide spread implementation of free SSL certs in shared hosting plans. It seems that most providers are still stuck on trying to charge you for SSL certs in some way instead of just building the functionality into their system.
I also suspect that we are going to see the Certificate Authorities try to push Extended Validation(EV) certificates harder as free Let’s Encrypt certificates become ubiquitous and dominate the DV ssl cert market.