I’m still not sure that I understand SSL in the right way. People THINK that an https site is secure so that they can trust it right? But that’s not entirely true. Scammers are simply making new sites and adding a free SSL to it which makes it look more authentic, but it’s still a scammers site. So people are MORE likely to click through to a scamming site then they might have been before. I attach a screen grab to show you what I mean.
So yes adding SSL to your site means that people can more safely add their sensitive information. But it’s also now a great new way for scammers to hook more people into their own dodgy sites, that’s right isn’t it?! SCREEN GRAB BELOW
Barclays have an EV Cert (Extended Validation), which means the company has gone through extensive checks to make sure it’s legit. All banks should have this.
Scammers have been using paid certificates for years, a few bucks isn’t going to get in the way. The HTTPS only ensures that the data being transmitted is encrypted, not that the company is legitimate. This is to ensure that no one is intercepting the data between the users and the server.
So even a paid certificate wouldn’t help ensure you’re not getting scammed.
There’s no easy way for an end user to determine the certificate type issued.
Following on from what @NeilUK and @teefers have correctly said, better banks NEVER put web links, email addresses or phone numbers in emails. If a bank needs a user to action something, they normally tell them to manually go to the website and login. Quite a lot of other businesses do the same.
I’m sorry, but I lack sympathy for people who are gullible enough to fall for these simple scams. Not really any excuse for it and you certainly cannot levy the blame on SSL. It sounds like this individual needs to enroll onto a safe computing course or be under tighter supervision when they use their computer!
Firefox has just introduced something similar in the nightly builds too. So expect this to become mainstream soon. Safari and others are probably not far behind.
In answer to the original question, most of my public-facing sites are with @barchard Chillidog hosting, so are covered by the free SSL certificates Greg has been providing for a few years now.
For the reason stated above (with SSL becoming mandatory), I am of the opinion that any hosting company trying to charge users for SSL are not playing fair and blatantly out to just profiteer. Such companies should be boycotted - if we haven’t boycotted them already for their elephant killing antics!
The only reason to pay for an SSL certificate is if you need a special type of certificate or extra warranty / guarantee. Most average websites don’t. Even if you are selling stuff, often the final transaction is processed through a payment vendor (e.g. PayPal or Stripe) who have these more complex certificates and obviously have to maintain PCI compliance and suchlike.
This is superficially plausible but Companies House and HMRC would tell you to log in on line to see documents, never attach a file. And, of course, they’d never tell you to click a link.
Two things are making me procrastinate as I change a website for the new EU requirements.
One is changing all my pages to php to get Gateway etc to work and the other not strictly related but something I want to do when I am making changes and that is SSL.
I want publishing to be a simple as possible and I can’t afford to change hosting as it has all just been paid for, for another year and I don’t really want to use Transmit to publish, though I might have to. In other words I would prefer to just publish straight from Rapidweaver.
My host is LittleOak and I have been lazy about that but they have just been paid for the next year.
I understand if I change my pages to php although they will upload they will not remove the html files, will sit there and the only thing that will be provided are the html pages.
What is the easiest and least hassle way of removing the html files and republish the php files?
As for SSL, the information on Littleoak is that you select your Certificate provider, tell Littleoak who the provider is, then give the information to the provider and then give Littleoak the certificate.
Can you recommend a provider of the certificate and has anyone done this process with Littleoak who could clarify the process with Littleoak?
Best wishes,
Bentley
I started the process with Cloudflare but then got a bit scared. we need to go back to the domain hosting panel and change the DNS records right? It’s as simple as that? I haven’t taken that next step yet.
Yes, that’s right. It’s not very complicated. Just follow their instructions.
As well as FREE SSL, you get a free SPEED boost, protection against a DOS attack etc… I have used Cloudflare on over 50+ of my domains and I never had any problems!
Ah ok I’ll check it out thank you. Also I notice that when I do a check on the site using www.whynopadlock, I can see a whole list of domains (see attached). Is that because it’s a free service and is therefore being shared alongside lots of other peoples domains?
Just because you can be sharing space with some dodgy websites. Although, I think the consequences are minimal these days.
Shared hosting is usually very limited, and I’d never trust my own or client sites on a shared hosting account. I’d rather pay a little more for peace of mind.
Also, many people swear by Cloudflare, but I’ve never rated their free service. I tried it once; it added 2 seconds to the site’s loading time.
However, people’s experiences are different, and if Cloudflare’s working for you, no reason not to use it.
Sorry I should have been a bit clearer with my question. I understand about shared hosting, but sharing the SSL feature isn’t the same as sharing your hosting is it? I know that @joeworkman has recommended Cloudflare on his podcast so that’s why I’ve gone that route. Also it means I’m saving my client £80+ annually by bypassing their hosters SSL service. Does anyone else have less than positive views about Cloudflare?
As long as your domain name is on the SSL cert, it’s fine. Issues arise when using a shared SSL that doesn’t specify your domain name.
Personally, I just prefer to have a unique SSL per domain. Good hosting companies offer free Let’s Encrypt SSL certs so there’s no need to be paying £80+.
