If you don’t have the SSL padlock, things are finally starting to crumble…

As business owners, we’ve all probably heard by now that it’s a good idea to install what’s known as an SSL Certificate into your website, with scaremongering techies like me telling you that:

  • It’s a good idea.
  • Google might one day penalise you.
  • No, really, it’s a good idea!

It’s not that we are wrong.

Yes, from a trust perspective, a padlock is going to reassure users, and more and more users care, as they become aware that there might be an issue.

Yes, there are good technical reasons why if everyone gets an SSL certificate, the web is generally a lot safer for users, as cyber-criminals have a much harder time of intercepting your activity.

Yes, it’s even a requirement for GDPR! Although no one really shouted about it. If you have a form on your site, GDPR will tell you that the name, telephone number, email and message that is transmitted is actually personal information. Install a SSL certificate and that info is encrypted. Don’t bother, and it’s plain text all the way from where they are to where your server is.

But up until now, there’s not been anything that you can’t do if you don’t install a certificate. And very little down side if you ignored it – at least downside that you’d be aware of.

This is changing

Effective this July (2018) Google will mark all sites without an SSL certificate as “Not Secure” in Chrome. If you want to read more about it, type “July Google SSL” into your browser, but needless to say, this will send a message out to your customers. Your site is “Not Secure”. What will they think about that?

This has changed

Of course, you already get a slight search advantage for having an SSL certificate installed. So you already had a good reason to do it. But this is a little more obvious.

But if you would like another reason to get this sorted out, it comes from Facebook.

Facebook has always been a great tool for businesses, and one of the most requested features we install on our client’s WordPress websites is the ability to allow the site to post any news articles put on the site straight up to Facebook too. In order to do this, you have to create a Facebook app that allows the connection between the site and your Facebook page.

It’s easy to do.

But it’s actually impossible now, without an SSL certificate. Facebook are no longer allowing you to transmit unencrypted data from your site to theirs. They will argue that there’s a risk it could be tampered with on the way. But whatever the likelihood, there’s no changing them. No SSL, no auto posting.

What’s next?

When you follow this to its natural conclusion, you’re going to see a whole load of other services who will start to take a stronger line when it comes to unsecured sites. What if Facebook stops you driving advertising traffic without an SSL certificate? What if Google Analytics stops working? What if that really important plugin you use for your podcast, your CRM, your online order form, etc etc, stop working?

Really, if there was a time to do it, it’s now. This is not going away.

How to do it?

Costs? These days a basic certificate is free. There are more premium certificates, but you don’t need one for simple sites. And administering the on-going certificate (they need renewing like domain names) will cost no more than a few tens of quid a year.

The big cost is the on-boarding, as this can get pretty hairy.

For a simple site, it’s usually not too bad. You install the certificate and test it. You create a staging site running through the certificate so you can see if the site still works. You put in place redirects to make sure all traffic is being routed to the secure version of the site, and you do a scan of your database to make sure there are no hard-coded non-secure resources. You then put the site live on the secure channel.

Clearly that’s all Greek for a non-techie, but it’s not an impossible job. It would normally take an hour or two if everything goes well, and a day if it doesn’t!

For a big site, it could be a right pain in the… But then bigger sites probably already have a techie on board thinking about these things.

I believe this is a good step for the web. So I am prepared to offer any new client who comes on board with WP Aid and quotes “SSL” during sign-up, a free SSL onboarding task as part of your site on-boarding.

And because I hate offers that exclude current customers, I’ll offer an SSL implementation project as a standard monthly task for any of our current customers too!

(Both of these offers are subject to the ongoing payment of the SSL certificate admin fee mentioned above as part of your package – the implementation project is the offer. And this offer can’t be used in conjunction with other offers. Here ends the T&Cs!)

If neither of these options suits you, drop me a message, and I’m happy to try to answer any questions you might have about your own situation. Just don’t leave it too long – things are crumbling around us, and there’s a point where the buildings will start falling into the sea…

What is a DNS and why should I care?

Most business owners have only vaguely heard of the letters DNS. Techno-geeks might have mentioned them when the website was being put together, but we didn’t understand then, and we’ve forgotten now.

Yet a DNS provider is critical to how the web works. And not making a conscious decision on your provider means you’ll be left with the default. And usually the default sucks.

If you would like to jump straight to the answer, here it is:

In most cases a business should switch their DNS provider to Cloudflare. It’s what we use, and there’s a good case for you doing the same.

There we go! That was a short article, wasn’t it? But if you’d like a bit more of an explanation as to why the answer is what it is, read on.

How the internet works

Ok, a big ask, but I’m going to try to explain how the internet works in a matter of a couple of sentences.

When you’re on your computer (or any other internety thing) and you browse for a website, 999 times out of 1000 your computer has no idea where the thing you’ve asked for lives. For example, you want to look at your favourite gardening website – TulipWorld.com. And why not!

So, given your computer doesn’t know where the web-server is that could serve up these dutch beauties, it goes to its Internet Service Provider (which could be Virgin, BT or Sky if you’re at home, or whoever is providing your mobile or wifi services if you’re out and about). Your computer asks “I want the homepage of tulipworld.com – can you get it for me?”.

Your ISP knows something about the domain name tulipworld.com. It doesn’t know where the website is, but it does have information about the domain, including the Domain Name-Servers. This information is stored as part of the standard info every time you register a domain name.

The ISP goes to the server listed as the domain name server, and asks “Any idea where the website tulipworld.com is being hosted?”. The job of the DNS is to reply with the location of the server that hosts the site. This is the IP Address of the website server, or web server.

Now the ISP knows where the web server is, it can just ask the server for the page of content, and pass it back to your computer.

And that’s how it works!

This raises a few questions…

The observant among you might already be jumping to a few conclusions, and maybe have a few questions…

  • Firstly, does this then happen for pretty much every website page request? The simple answer is that it happens a lot. It may be that your ISP remembers the answer to the question (by storing it in a cache – a temporary memory that will be deleted later), so subsequent page requests might not need it. But it will definitely be required for every visitor to your site, and more importantly it will be required for the first page request – the one that we don’t want users bouncing from.
  • Secondly, what about other things? Does it happen a bit like this for email? For VOIP calls? Yes, it does. Each thing that hangs off your domain name has records that are provided by your DNS.
  • Thirdly, what happens if I don’t explicitly choose my DNS provider when I register my domain name? In 999 cases out of 1000, the company you buy the domain from (your domain name registrar) bundles in DNS provider functionality as part of the £10 a year or whatever it charges for the domain name.

So what are the chances that your particular domain name registrar is also the best provider of fast, cheap DNS services? Slim to zero!

Fastest DNS provider for UK websites

So how do we get to the answer of what DNS provider to use? Firstly, let’s go to the data. DNSPerf tests a lot of this stuff. You can look at the answers for resolver simulation in Europe here:  http://www.dnsperf.com/#!dns-providers,Europe,resolver_simulation

 

Do you see your domain name registrar in the list? At time of writing, GoDaddy is at 20, and Namecheap is at 18. Lots of the other biggies aren’t there at all. No Fasthosts, no 123-Reg… etc, etc.

Right at the top of the pile is Cloudflare. Cloudflare’s predicted resolve time is 6.87ms at time of writing. GoDaddy’s is 22.15ms. So Cloudflare is 3 times faster.

Cloudflare basic is free.

Hence, our suggestion is to change DNS providers from yours to Cloudflare. If you come on board with WP Aid they will manage the whole thing for you so nothing breaks during the transition. Just drop me a message.

Jake Liddell

>