Surveillance
Self-Defense

Moving Your Site From "Not Secure" to Secure

Maybe you’re a beginner to web development, but you’ve done the hard work: you taught yourself what you needed to know, and you’ve lovingly made that website and filled it with precious content. But one last task remains: you don’t have that little green padlock with the word “secure” beside your website’s address. You don’t yet have that magical “S” after “HTTP”.

You might have heard or noticed recently that something is different on Google Chrome: if your website does not have a HTTPS certificate, your visitors will see a warning on your pages, cautioning them about your page’s security. This is because Google Chrome browser is now marking unencrypted websites that don’t provide HTTPS as “Not Secure.”

If you want to:

  • mark your website as secure
  • retain visitors to your website and boost search engine optimization
  • provide privacy to your site visitors
  • keep out nosey neighbors peeping on your and your users’ connections
  • prevent malicious actors from tampering with content on your site
  • prove that your site is not being impersonated (or prevent some malicious actor from pretending to be you)
  • do this all for free

Then, this post about getting an HTTPS certificate is for you! If transport-layer security, certificate authorities, and HTTPS are new concepts for you, check out this comic from How HTTPS Works: https://howhttps.works/.

The details about how to enable HTTPS on your site depend crucially on your hosting environment. Depending on the provider and software your site is hosted with, HTTPS setup could range anywhere from automatic, to a single click, to impossible (if your hosting provider specifically doesn’t allow HTTPS). For many web site owners, the most challenging or unfamiliar step in enabling HTTPS is getting a certificate, a document issued by a publicly-trusted certificate authority.  A valid certificate is required for browsers to confirm that encrypted connections to your site are secure.

EFF helped create a free, automated, publicly-trusted certificate authority called Let’s Encrypt, which is now the most-used certificate authority on the web. In this post, we’re going to provide advice about the process of getting a certificate from Let’s Encrypt. It’s a convenient option in many cases because it doesn’t charge money for the certificates, they’re accepted by all mainstream browsers, and the certificate renewal process can often be automated with EFF’s tool Certbot.

There are also many other certificate authorities (CAs), which have different policies and procedures for getting certificates. Most will expect you to pay for a certificate unless you have some other relationship with them (for example, through a university that gets free certificates from a particular CA, or if you use a web host that has a commercial relationship with a CA to let subscribers get certificates at no additional charge). For most purposes, you won’t get a different level of privacy or security protection by choosing one CA rather than another, so you can choose whichever public CA you conclude best meets your needs.

We’ve compiled some resources that we’re sharing here for beginners who are new to getting their own HTTPS certificates from the Let’s Encrypt Certificate Authority.

This blogpost isn’t a full tutorial, but is intended to help you get started with the journey to get a HTTPS certificate:

  1. Find whether your web hosting provider already provides free HTTPS certificates.
  2. Confirm with your web hosting provider to see what options are available for HTTPS.
  3. Learn what system and software your server uses.
  4. Troubleshoot until you find an appropriate tutorial to get HTTPS certificates for your site.
  5. Check that HTTPS is working!

We’re trying to improve this process to encrypt the web. When Let’s Encrypt first launched in 2016, only 40% of website connections were encrypted. Today, that number is as high as 73%. Help websites get to 100% encrypted and make the Internet more secure for everyone.

1. Find whether your web hosting provider already provides free HTTPS certificates.

Do you use Tumblr? Github pages? Weebly? Or a variety of other hosting providers?

There’s a chance that your web host already provides an option to obtain a certificate automatically, either from Let’s Encrypt or a different CA. Check if this is already described in your web host’s site or administrative interface. You can also check if they’re on this master list of web hosts supporting Let’s Encrypt, and if they have up-to-date instructions.

If you find your web host on the list of supported providers, or you already know that it has a tutorial or guide for using its HTTPS support, follow their instructions for enabling HTTPS on your site. If it is not supported, proceed below.

2. Confirm with your web hosting provider to see what options are available for HTTPS.

See if your site administration page has an option to enable HTTPS.

A lot of providers—including many that aren't on that community list—use software like cPanel on some of their hosting plans to let subscribers configure their hosting services. cPanel normally has a feature to let the subscriber automatically get a certificate for free (which may be either from Let's Encrypt or another CA).

Some of cPanel's competitors such as Plesk also have this configurable option. However, some hosts may be running outdated software or have deliberately disabled the ability to get a free certificate.

Get in touch with your provider and ask them about their options of HTTPS support.

Many providers are already working on making HTTPS available or  or may already provide an HTTPS feature. You can contact them and ask to see if this might be an option.

“Dear [company],

I would like to obtain a free HTTPS certificate for my site. I was wondering if this is already in the works?

Thank you.”

Your provider may then be able to guide you about whether your hosting plan allows you administrative access to the server (in which case a tool like Certbot may be relevant for you). See the next step if this is your circumstance.

3. Learn what system and software your server uses.

If your hosting provider doesn’t integrate Let’s Encrypt but you do have administrative access to your server, you can use software to obtain and install a certificate. This is dependent on what software your web server is using, and what operating system your server is running on.

If the above sounds like unfamiliar jargon and you’re not sure about what software or system you’re using, don’t worry! You can email your webhost to get that information

Try using the following language in an email to your webhost (influenced from Matt Mitchell).

“Dear [company],

I am using your hosting service. I’m interested in using Certbot to use a free certificate from Let’s Encrypt.. Can you send me the support webpage on how to do this? In particular, I’m wondering how I can SSH into your server from my computer? I need to know what software the server is using, and what system the server is on.

Thank you.”

If you know what software and operating system your web server is on and know how to use the command line, Certbot might be a good tool for you.

Check EFF’s Certbot site to generate instructions for getting Let’s Encrypt certificates on Unix servers that you administer. If you don’t see your server’s software and operating system reflected on Certbot, or are unable to get a certificate from following the Certbot instructions for your configurations, proceed to step 4.

4. Troubleshoot until you find an appropriate tutorial to get HTTPS certificates for your site.

This is the messy part: there are many, many tutorials out there for many possible situations. If you’re new to using your command line, we recommend calling a friend with experience in configuring a Let’s Encrypt certificate on their site to help. Be prepared to copy and paste error messages, and spend some time troubleshooting.

Try checking the service https://letsdebug.net/ for an analysis of your setup that can help point out a number of common problems. Try searching the Let’s Encrypt Community Forum for similar questions. If you don’t find the answer from the community’s responses, try submitting your own question to the Let’s Encrypt Community Forum, or calling a friend.

Some other things to look for as you set up HTTPS include:

  • Get the certificate to automatically renew every 90 days. This means you won’t have to go through the pains of configuring a new HTTPS certificate manually, or leaving your site with an expired certificate warning in web browsers if you forget to repeat these steps 3 months from now.
  • Redirect your sites to HTTPS by default, so that it doesn’t default to the HTTP connection.
  • Check with your site host if a wildcard certificate is available for you. This just means that it’ll apply to all your sites that are subdomains of the same domain (if the domain is “example.com”, the subdomains “transactions.example.com” and “email.example.com” will be covered by a “*.example.com” wildcard certificate).

Once you’ve found a tutorial and enabled HTTPS, you’re almost there!

5. Check that HTTPS is working!

Now, visit your site in your own browser and troubleshoot the HTTPS configuration for your site to make sure it’s working. If you have problems, some resources include:

For checking the certificate itself: https://www.ssllabs.com/ssltest/index.html

For checking the reason for security error messages in your browser: https://www.whynopadlock.com/

JavaScript license information