SSL certificates

I decided to get an SSL certificate for my website when I got the domain. My host had a deal on, so I got it due to having a need to process at least some data somewhat more securely then plaintext.

With a combination of htaccess rewrite rule foolishness (of which I am trying to work out this evening, and will post on another time) I decided at the time to make the entire site SSL for the time being. I’ve only just started checking this again, since I want to try and get WordPress and Mediawiki working together somehow.

There are some pro’s and con’s for this I’ve come up with, and by the end of the evening I’ll probably have turned off mandatory SSL and put a quick page up on SSL in case anyone wants to use it, since I will myself carry on using it anyway. (Read more for details on pros and cons)

Pro’s for site-wide SSL:

  • SSL provides security for posting comments (your email/website/username is sent in plaintext otherwise)
  • More or less makes sure the website your visiting is actually mine (I know it’s not perfect but it’s as good as the internet has at the moment)
  • Was easy to setup, a few rewrite rules which WordPress doesn’t mess with (for once!)

Con’s:

  • There was no reason why I couldn’t have made it optional (apart from at the time I was busy working on getting the site to what I wanted it to be). This now, is a larger con for the fact I have some time to change it now 🙂
  • SSL makes browsing marginally slower, and revisits much slower, due to caching not often saving across browser sessions for SSL-encrypted websites
  • I’m forced to use www.aarmstrong.org to have the certificate work “validly” – people accessing it via. a simpler URI will have a prompt saying “This is not totally correct, proceed?” which means people might not even visit. If I ever wanted to use a subdomain, I can use SSL but it’d be a “not 100% valid certificate”, so would definitely need something worthwhile on it to be worth doing.

If I was doing anything even slightly more important – especially anything with personal data – I’d make mandatory SSL on certain activities like posting (which likely would go up on another page), uploading, etc. depending on the tasks. Luckily, I’m not. I’ll see about getting it off (although I won’t redirect people who use https://www.aarmstrong.org, and both ways will still work) tonight, and add a page to allow it to be turned on/off if people want.