Shared publicly  - 
 
I followed +Pierre Far and +Ilya Grigorik's advice: I purchased an SSL certificate and set up HTTPS + HSTS (http://en.wikipedia.org/wiki/Strict_Transport_Security) on my personal website, https://www.giacomopelagatti.it/, which now 301-redirects all HTTP requests to the corresponding HTTPS URLs, and issues the following response header:

Strict-Transport-Security: max-age=31536000; includeSubDomains

I did it mainly because I wanted to see how difficult it is to complete this task, from an average webmaster's point of view (okay, I'm probably not an "average" webmaster, but I got the idea). :)

From the start of the certificate purchase process to the end of the server-side configuration (including all necessary checks to verify that everything worked as it should), it took me about 1 hour. I guess the fact that my site runs on WordPress made some things much easier, although I used no plugins. After that, I added and verified the HTTPS version of my website in Google Webmaster Tools (and connected it to the corresponding Google Analytics property), submitted the new XML sitemap URL, and updated a couple of external links. This other stuff took me maybe another 10 minutes.

The SSL certificate cost me $9, from Namecheap.com.

What about you?

Are you going to make your site #securebydefault  later this year, and if so, why? :)
 
At Google I/O earlier this week, +Ilya Grigorik and I talked about how to implement HTTPS on all your sites. We covered a ton of topics like why you need HTTPS, how to deploy it correctly that doesn't impact website performance (we talked about HSTS, session resumption, SPDY, and more), and how to make sure your secure sites get indexed correctly (lots of indexing signals!). Check it out:

Google I/O 2014 - HTTPS Everywhere

We referenced some docs and tools. Here they are to dig into:

https://istlsfastyet.com/ (The answer is a resounding "yes")
https://wiki.mozilla.org/Security/Server_Side_TLS
https://www.ssllabs.com/

and, of course, https://www.google.com/webmasters/tools/
3
Stefano Gorgoni's profile photoJim A's profile photoGiacomo Pelagatti's profile photoAndrea Pernici's profile photo
23 comments
 
Cheap certificates cause a warning on browsers.
 
Yes. The one +Stefano Gorgoni said is one of the biggest issue of cheap certificates. For example your website now gives me a warning on Firefox.
 
I tested with Firefox, Chrome, Safari, IE and Opera on Windows, and I didn't get any warning, but I do get a "Certificate not trusted" warning in Firefox/Ubuntu and Chrome for Android.

Here's a comparison between Firefox/Windows 7 and Firefox/Ubuntu, where you can see the differences in the certificate chain: https://plus.google.com/photos/116990739437091947602/albums/6030639262305044945?authkey=CMyzy43d0_OEvAE

I guess all major Windows browsers can fetch the missing certificates by themselves (or have them built-in?), while Firefox/Ubuntu and Chrome/Android don't, and expect the server to provide them.

When my certificate was issued, the issuing CA (Comodo) also sent me the following:

1. Root CA Certificate - AddTrustExternalCARoot.crt
2. Intermediate CA Certificate - COMODORSAAddTrustCA.crt
3. Intermediate CA Certificate - COMODORSADomainValidationSecureServerCA.crt

I opened a support ticket with my hosting provider about 10 hours ago, asking them to install the missing certificates for me, and I'm currently waiting for a reply.

Anyway, I don't believe this error (which is due to a partial/incomplete installation) is limited to "cheap certificates": not long ago, one of my clients had the very same issue (i.e., some browsers showing "Certificate not trusted" warnings due to missing intermediate CA certificates in the server configuration) with a certificate issued by Thawte, which was not "cheap".
 
Still there on my chrome/nexus4 (nexus10 is sleeping at home)
 
The Mac OSX version of Firefox is also showing the warning.
 
+Andrea Pernici Is this delay normal? I mean, is there something that needs to "propagate", when installing new certificates? (I don't think so, but I might be wrong).
 
The hosting provider finally replied: 
> abbiamo forzato la riconfigurazione del sito web ed il webserver dovrebbe aver recepito la nuova catena SSL.

I no longer see warnings on Firefox/Ubuntu and Chome/Android, and http://www.sslshopper.com/ssl-checker.html#hostname=www.giacomopelagatti.it is now looking good.

I guess what happened confirmed that installing an SSL certificate is no trivial task, during which things can go wrong; so it is essential to perform redundant checks on the server configuration. For high-traffic websites I would also recommend not to enable HSTS and 301 redirects to HTTPS URLs until you're 110% sure that the certificate is correctly installed and no browser is receiving any security warning.
 
Yes...the only problem is that I have to upgrade something on the Server (TLS etc etc..)...it's a quite old one :/
Jim A
 
if i am not wrong then cheap certificates would be considered in price value not in terms of feature values! for example, if we have Symantec secure site SSL certificate, one of the premium class SSL certificate on the Internet! this might be in low price from other authorized re-seller and this could be they refer as cheap certificate because the reason only they offered it in low price. 

I would recommend to every one that go through third party certificate authority such as Symantec, GeoTrust, Thawte and RapidSSL which are the most trusted by 99% web browsers and mobile devices!
 
Cause on the server where I tested it would be problematic to made an upgrade and I have not so many time now (my wife could kill me) :(
Add a comment...