Are you ready for HTTP/2? Are you using TLS?

A

afasoas

Messages
893
Edit My Images
No
I know many here host websites. If you are managing your website yourself, then this is something you probably need to think about.

Nearly 10% of the top 10M websites are now offering HTTP/2, which gives tangible performance improvements over HTTP/1.1. If you run your own server, adopting HTTP/2 looks be quite easy as it's supported by both current versions of Apache2 and NGINX. If you are reliant on web hosting, then you will need to check with your host whether they are using the new standard.

HTTP/2 at it's draft stages was going to be HTTPs only. Fortunately that requirement was dropped. Unfortunately, all the common web browsers are insisting on TLS (HTTPs) for all sites accessed using HTTP/2. So that means, if you don't currently have HTTPs enabled for your website, you are going to need it.

It's fairly well understood that Google as pushing for more sites to use HTTPs. In January 2017 Chrome will soon start alerting users that HTTP sites are insecure. It's also believed that Google will in future start marking it's search results for HTTP sites as insecure too. ( - it's already widely accepted that Google are prioritising HTTPs sites over HTTP ones).

http://www.ubergizmo.com/2016/09/google-http-websites-not-secure/

Is anyone here already using HTTP/2? (I'm not, but it's something I will start looking into soon).
What about HTTPs/TLS? ... (I've not seen it as a concern before now because non of my public-facing sites collect any data).
 
neil_g said:
well thats doubled my annual hosting cost. thanks google.

free/cheap SSL is not an option for hosts that charge to install 3rd party certs.
Click to expand...

probs would be a time to move to hosting where you have some freedom :) I know what you mean, it's mostly all those godaddy/1&1 not allowing 3rd party SSL's (i think)
 
TSO also charge to manage 3rd party certs. and to be fair it's reasonable for them to want to vet certs that they have not issued.

anyway i think this is massive unnecessary overkill from google. not everyone needs a SSL certification on all content.
 
neil_g said:
TSO also charge to manage 3rd party certs. and to be fair it's reasonable for them to want to vet certs that they have not issued.

anyway i think this is massive unnecessary overkill from google. not everyone needs a SSL certification on all content.
Click to expand...

Couldn't agree more.
Wish I had known about namecheap as an option for certs before getting a new certificate last week for my mail server.
 
neil_g said:
TSO also charge to manage 3rd party certs. and to be fair it's reasonable for them to want to vet certs that they have not issued.

anyway i think this is massive unnecessary overkill from google. not everyone needs a SSL certification on all content.
Click to expand...

not using TSO and never used, but just checked their website and indeed they charge £25 per year to manage 3rd party certificates... Out of interest, do you actually have standard cPanel or it's something specific for TSO (as control panel for your hosting)?
 
asaspasas6 said:
not using TSO and never used, but just checked their website and indeed they charge £25 per year to manage 3rd party certificates... Out of interest, do you actually have standard cPanel or it's something specific for TSO (as control panel for your hosting)?
Click to expand...


just cheched with TSO support, and in fact, even you taking prefessional cPanel hosting or even reseller hosting, still same fee applies.... crazy....
 
neil_g said:
depends on your package but cpanel is an option. just looked and there are no options to add SSL without involving them.
Click to expand...


just cheched with TSO support, and in fact, even you taking prefessional cPanel hosting or even reseller hosting, still same fee applies.... crazy....
 
I tend to use certificates from startssl, properly verified and great value for multi domain certificates.

I guess some providers charge for several reasons;
1. Their own certificates come with an automated install script and linked for updates to their billing system.
2. Manually installing a certificate isn't always that straightforward especially when you start getting wildcard or multi domain situations and include email as well. I'd say the fast majority of users will require assistance.
3. As it isn't automated it willl take time and time cost money in such a cut throat small margin businesss
 
afasoas said:
What about HTTPs/TLS? ... (I've not seen it as a concern before now because non of my public-facing sites collect any data).
Click to expand...
At work we have certificates on all our servers, as our sites all have logins and sending a password in clear is considered bad form, because you never know who might be sitting on a router in LINX after all, just waiting for the packet containing your username and password to flash by. Or something. Anyway, people worry less when they see the green padlock when logging in.

It seems an absurdity to require it for a site serving only static content and not collecting any user input.
 
I've already noticed chrome giving a little ! next to the URL saying it's not secure.

Deployed my cert last week, was fairly painless thankfully, only a few pages needed updating as they were pulling unsecured scripts.
 
You must log in or register to reply here.
Back
Top