making bbPress (and WordPress) work better!

Everyone can make their website HTTPS for free

In case you have not heard the amazing news, Mozilla, EFF, Automattic and a few other folks are banding together to help end the SSL certificate cartel by the end of 2015

This is huge. Everyone will be able to make their website HTTPS for free, without paying an annual fee and much easier than StartSSL

The good: These new certificates will be cross-signed by an existing trusted authority which in plain english means that even older browsers should accept them (which is a problem with existing free self-signed or obscure certificate authorities).

The bad: They do not intend to offer wildcard certificates, at least not anytime soon – this means the SSL cartel can still feed on people who need subdomains supported (ie. www.example + forums.example etc.)

The ugly: They intend to make the certificates expire every 90 days. This makes it a little bit of a workout for folks to go through four times a year. However it might be possible via some code (like a WordPress plugin) to automate the process and do all the work for you.

Note you’ll still need to meet existing SSL/TLS requirements like a dedicated IP for your domain unless you want to use SNI which a handful of browsers do NOT support (IE6, IE7 or IE8 on Windows XP, Safari on Windows XP, Android 2.x, BlackBerry OS 7.1 or earlier, Windows Mobile up to 6.5, wget before 1.14, Nokia Browser and Opera Mobile for Symbian)

The other catch is that many websites have hard-coded HTTP urls for images, etc. which will not work on a HTTPS website in a modern browser. WordPress is horrible about this, embedding HTTP everywhere. But with some plugins and template edits, and search/replacing your database, you can clean that up.


ps. I know that “SSL” is retired and now “TLS” but we cling to old terms and call HTTPS “SSL”

pps. If you need a wildcard SSL certificate, the lowest I’ve seen is $60 for two years at StartSSL or sometimes you can find a 1 year only promo price from AlphaSSL under $20 if you search google – there is also WoSign with free wildcards but they is risky because they are in China and this makes the cert slow and subject to government manipulation…

3 responses

  1. i new the limitations but didn’t know about every 90 day expiry ! hmmm

    i love my wildcard SSL certificates so will be a while before letsencrypt will be useful to me.. i have like 80+ subdomains covered on SSL wildcard certificates. I am not renerating 81 letsencrypt certs every 3 months LOL

    August 20, 2015 at 10:10 am

    • Yeah the lack of wildcards from them is annoying, it is like they were politically pressured not to offer them.

      However you can dig around for AlphaSSL wildcards on the cheap and just renew annually. A couple places are offering $5 intro rates but you can only buy one year at a time and then you have to deal with whatever price next year. But there might be a shakeup a year from now.

      Some people are going the route of free wildcards from WoSign but I think it is too risky and slow.

      In any case I think the days of $100 wildcards are over – I mean look at this nonsense: – good riddance!

      August 20, 2015 at 10:15 am

  2. The max 90 days was something I hadn’t heard before. Reference link –

    August 21, 2015 at 4:24 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s