We all know what SSL is. It puts the padlock in your browser’s address bar and secures the connection to the website you’re visiting. If you’re sitting at Starbucks purchasing something online with your credit card, you’re protected. The problem is, most website owners only use SSL for online transactions. Uploading files to your website via FTP, writing a post on your WordPress blog, or logging into your favorite forum are actions that all go unprotected leaving you vulnerable. Always-On SSL is the concept that we should be secure always. Not just for logins, but for the privacy of people browsing your website as well.The Internet has become an increasingly more dangerous place. With script kiddies trying to prove themselves, crackers creating ransomware for large payouts, and even governments hacking movie studios because they didn’t like their jokes, there’s bad guys everywhere. Protect your website by enabling SSL. Every URL on your site should begin with ‘https://’.

Always-On SSL means that everyone should be using SSL on every page of their website, always. We’re seeing large companies such as Google, Facebook, Twitter, etc take this approach but we need to follow as individuals. This site for example (FelicianoTech.com) is available via HTTPS. In fact, if you try to visit this site using HTTP, you’ll simply get a permanent redirect to the secured URL.

Why bother, specifically?

Passwords. Always-On SSL allows you to protect usernames and passwords for a website that you have. If you log into a blog, especially if it’s one with multiple authors, you can prevent people from stealing your credentials by sniffing the WiFi signal.

Privacy. Many ISPs modify and monitor traffic. This simply may be to make sure your PlayStation 4 online game has enough bandwidth to prevent lag. Monitoring however can sometimes be more personal and it’s a boss, rouge IT employee, stalker, etc who want to see what you’re doing. Without HTTPS, someone can easily see every email that you send, Facebook status you post, blog post comment, etc.

Security. Running HTTPS allows you to prevent someone from conducting a man-in-the-middle attack against a potential visitor to your website.

What about all of the detractions?

What detractions? Many of the ‘cons’ that I’ve heard to implementing Always-On SSL are simply false. This can be seen in a very popular Stack Overflow question. Here are some of the typical excuses:

Unless someone has the password to your router, they can’t see your traffic.

This is false. Firstly, if you’re using WiFi, you’re screwed. WEP, one of the early WiFi encryption protocols has been compromised. WPA/WPA2, the newer encryption protocol for WiFi, has been compromised via Wi-Fi Protected Setup (WPS). With that being said, many people use public, unencrypted Wi-Fi (Starbucks, McDonald’s, library, etc) leaving everything you’re doing out in the open. Even in wired networks, wiretaps, ARP poisoning, and compromised network devices cause concern.

SSL certificates are expensive.

This is (an opinion but) false. There are now many places that sell SSL certificates for $6 a year. That’s less than $0.02 a day. Granted, some people still may not be able to afford that but comparatively, if you can afford a domain name and hosting, you likely can afford an SSL certificate.

It gets better. There are now ways to get SSL for free. If you’re using CloudFlare, you can use their free plan and get HTTPS support for your website for FREE. The awesome people at the Internet Security Research Group have put together an initiative to bring SSL encryption to the Internet for FREE! (It’s called Let’s Encrypt, go check it out).

SSL is CPU-intensive.

This is only true for crappy hosting providers with crappy servers. I work at Linode and I can tell you right now even with our cheapest plans, our CPUs will muscle through any cryptography work you throw its way. It’s 2015, CPUs are much more powerful than they use to be. Technically yes, HTTPS uses more CPU cycles than HTTP, but the difference is negligible. Especially when put it against all the pros that I’ve mentioned earlier in this article.

If CPU load still worries you, here’s a solution. If you terminate SSL on a proxy, say a NodeBalancer or CloudFlare, then your web servers don’t even need to do the CPU work. It’s all done on the proxy. You get the benefits of SSL without the load.

Conclusion & Discussion

Always-On SSL is a concept that encourages the use of SSL on every page of every website. You don’t need to have an online store to have SSL. We can all benefit from the pros of SSL encryption, whether we are a website owner or the awesome people who come and read the things on our site.

If you run a website, be it a forum, blog, news site, whatever, try it out. There’s plenty of guides out there on how to set up SSL for your website and there’s plenty of people (like me) who are willing to help because it’s just that important.

Let’s Encrypt (mentioned earlier) is a really awesome, extremely important project that can help set the tone for Internet privacy and security in the future. Check them out and maybe even help them out if you can.

Did I miss some benefits of SSL? Is there a really good reason why you may not want to use SSL that I didn’t mention? Please comment and let me know.