I consider myself a moderately tech savvy person. I’m not some kind of expert, but I manage to keep this website up and running. I understand in general what’s going on, the logic of a PHP database and other things, at least far enough to keep things functioning here. So, when I got the news that Google Chrome was going to start showing more strongly worded warning messages when people visited sites that weren’t properly setup to use https, well, I knew I needed to do something about that. While https honestly isn’t necessary for a site like this, I felt the risk of people avoiding the site due to the Chrome “not secure” warning would be something I should go ahead and mitigate. The last thing you want is someone to come to your site and get some kind of warning message from their browser, right?
Let’s understand, I’m writing about my experience as an amateur website owner. As I said above, I’m no expert – I never though I would be forced into SSL and HTTPS, so I’ve never looked it up. Hell, most of my time spent reading up on technology is about things older than me, so… take all of this purely as personal experience.
Coincidentally, the hosting service I use, Hostgator (which I certainly do recommend) had set up a basic, but free, SSL certificate for sites using its hosting plan. Cool. This would be trivial to set up, right? Right?
No. As it turns out, it wouldn’t be. It would actually be a somewhat confusing mess. Granted, I think I was over-thinking it, but there are still aspects of the process which I just don’t understand and little things I just can’t change.
Right, let’s get to it.
It was Thursday night.. really Friday morning, basically, as I had stayed at work for some promotional streaming on Facebook because that’s a thing we do. Already being awake, knowing I wouldn’t make it to bed anytime soon, I figured that would be a time to go through updating things.
I had already read up on the free SSL that Hostgator was providing and saw that there were a few things I’d need to do – namely, install a plugin and configure a few additional elements of the site to force HTTPS on other pages. Since the site is based around WordPress at its core, and nothing else, the key focus was this plugin.
I installed the plugin, loaded the site in Chrome and…. not secure errors. I checked the plugin to discover there was a tiny bit of stuff I had to verify. Trying to do that lead to a whole bunch of nothing. The plugin just didn’t work right.
Okay, let’s try another plugin. Hostgator also suggested a second one, which I tried. I got similar results at first, and then.. suddenly, it worked. Maybe something had to propagate, the hell if I knew but it was working. Cool!
And then, I noticed something… something very odd. Yeah, HTTPS was working, but the registration that was set up wasn’t the right URL.
Sure, it’s set to a xadara.com domain and everything checks out, but it’s not set to the root, that is, to xadara.com itself. Instead, it’s, for some reason, set to a dormant URL, typecast.xadara.com – one I plan on using in the future for a side project.
Wonderful… the damn domain shown isn’t exactly the one I should want. Okay then, how about I fix that? Should be easy, right?
No, it wasn’t easy. In fact, I couldn’t even begin to figure it out. This is where the complete waste of time for my night came from. I would spend probably 2 hours, off and on between watching some videos online on unrelated content, trying to figure out just how in the hell to make the certificate simply say “xadara.com” on it. It actually went so far as to break functionality of the site for a while, and https never did act quite right for the remainder of the night when I did have it enabled, so, I took it off for a few days.
I never did figure it out. I’m not giving up, but as it stands I just don’t quite understand SSL, HTTPS, and the related technologies behind it all to fully solve the issue. Of course, this is all a side effect of me using the free ssl that Hostgator provided, so the issue could be with how their systems set things up, and would all be mitigated with me paying for a certificate. That, however, isn’t going to happen anytime soon, for obvious reasons.
Earlier this morning I tried one of the suggested plugins again, and got proper results. Of course, it still has the “typosphere” subdomain shown, instead of the root URL of the site, but I can live with that until I learn more about how all of this works and figure out a solution to that relatively minor annoyance.
Not everything went as smooth as it could have been though. There was one thing lost in the transition – namely, the xadara.com hit counter, which has been used to log the raw hits to the site over the past few years, seems to no longer work with https enabled. As much as I enjoy seeing the already oddly high number climb, it would seem there isn’t much I can actually do about it – attempting to force https on that script did nothing. The raw link code shows fine in my browser when I jump directly to it, so it seems it’s just kind of dead. I’m sure there is a way to force it to display, but that might mean breaking the validity of the https check that Chrome does. So, away it goes.. which means it may get it’s own article, because I’m weird like that.
Again, I’m only going through all this because Google has decided that Chrome should alert people to “not secure” sites, even though those sites might well have no need to be secure in the first place.
This is actually a big problem, too… why should a site that does no business transactions need https? It really doesn’t and even some guides I’ve read state that explicitly. Now Google has decided to make more of a fuss about this, obviously in an attempt to help people, but all it’s going to do is make people think any site that says “not secure” is hacking into their computer, or some other idiocy. They are still going to fall for the same phishing attacks they always do, and in the guise of helping people, Google is ensuring more of a pain in the ass for hobbyist webmasters than already exists.
I mean, I truly get there is an urge to push towards a more secure overall internet infrastructure, but this isn’t quite the best way to go about it. This is kind of like the mafia tearing up a store and saying you need to pay protection money. Okay, not really, but it’s reminiscent.
We’ll see how this pans out. It isn’t like these changes are irreversible: One click of a button and I can disable ssl and https on the site just as quickly as I enabled it. I just want to ensure that traffic doesn’t avoid the site because of some stupid warning label Google thinks should be on my site simply because of arbitrary reasoning and presumed risk.