SSL Encryption
- As of March 10th 2017, SSL Certificates are available free of charge to all our clients!
- We now offer SSL Certificates to all of our clients, free of charge. Our servers will generate a DV SSL certificate for you, and if it is about to expire: there's nothing you have to do, our servers will renew it fully automated! Hassle free, powerful security for your website. All it takes is enabling it one-time in your cPanel with a single click. From then on you don't have to do anything to maintain the SSL Certificate anymore: our server will ensure the SSL keeps workings and that your certificate is valid. it's all fully automated.*
We're very happy to introduce this feature, in order to contribute to an internet with better security and more privacy protection.
We call it AutoSSL, and you can find the functions in cPanel. This feature is powered by Let's Encrypt.
* = You may have to enable SSL in the software you use on your website. See "Caveats".
We provide these free certificates as a courtesy and to enhance safety, but cannot offer any warranty for its functioning. - What is SSL?
- SSL stands for Secure Sockets Layer. It encrypts the connection between your website and its visitors. This means that, should anyone be eavesdropping, the contents of the communication will be unreadable thanks to the encryption. This greatly enhances the security and privacy of you and your visitors. You recognize an SSL encrypted connection by a, usually, green lock and/or green browser bar that, when you hover your mouse over it, tells you the connection is secure/encrypted. (If the lock icon shows an unlocked lock or the icon does not show up at all: it's not secured.) Our website has such an encrypted connection, so you should be able to see the lock in your address bar.
- Why SSL?
- The internet works with something called Network Packets. When you visit your website, many of such packets are being exchanged between your computer and our servers. When they're unencrypted (http://), then with the use of special tools: the data can be "eavesdropped" on by a malicious hacker, or for example the government. This applies when such a hacker would be able to tap in anywhere on the connection between you/your visitors and the server (on public/insecure WiFi for example), and what has been sent can then be read accordingly; including plain-text passwords if someone is trying to login. When SSL is enabled on your website: these packets are encrypted, which means that the contents of the packets are "scrambled", and cannot be read when captured. Under normal circumstances: only the visitor and the server can encrypt/decrypt the packets being exchanged, a malicious hacker will not be able to read it. This greatly enhances the safety of your visitors, especially when your site features functionality that requires a login with username and password, or when sensitive (private) data is being exchanged. SSL not only enhances security, it also helpts protect the privacy of you and your visitors.
SSL basically tries to ensure the following:
- Secures sensitive data in transit by encrypting it, so that for example usernames/passwords cannot be stolen by sniffing network packets
- Enhances privacy, as eavesdropping is made near impossible. For example: you have an SMF forum, and someone posts a private story about their life in a hidden board. Without SSL, a malicious hacker could in certain circumstances (such as eavesdropping on public WiFi networks) try to intercept the network communication and thus read the conent of that post. SSL encryptes the traffic, and ensures nobody is able to read it even if they manage to wiretap the connection between your site and that visitor.
- A valid SSL Certificate guarantees that your visitors know it's your website they're visiting. If a malicious hacker would somehow be able to manipulate network traffic and make your domain load from a different server: the affected visitors will immediately get a warning in their browser.
These mechanisms are called: encryption and authentication. - Any caveats?
- Yes, your website or the software running on your website (such as SMF or WordPress) must support SSL; or must be modified to support it; and the best practice is to force-enable such encryption. Most modern day software has SSL support built-in by default, for ease of use.
If it does not support SSL (https://), but you do force the use of it: then it may not function properly, may not function at all or everytime the visitor clicks on a link or submits data: the SSL encryption will be deactivated due to the site turning "https://" (secure) in to "http://" (insecure). Having an SSL certificate installed on your domain does not mean that you have to use it, unencrypted connections are still possible without a problem; so you may also choose to secure only selected parts of your site. (Such as the login feature.)
For SSL to work, the website must be visited with "https://". You can, usually, configure your site and/or the software running on it to automatically convert "http://" links in to "https://" links, to activate SSL. Mod_rewrite can also be useful for this purpose.
What should also be mentioned is another situation to keep in mind; When you use software like SMF for a forum, and you allow the use of the
"[img]" bbc tag in order for people to hotlink images from another website, when images are being loaded from an insecure website (http://) that does not use SSL as well: the browser will give a warning that not all data is encrypted. This can be experienced as annoying. We therefore advise to disable the "[img]" tag, and only allow your visitors to show images by uploading them as an attachment.
SMF 2.0.14 and SMF 2.1 Beta are fully compatible with SSL, including the usage of the IMG tags - so you don't have to do anything in these versions.
Last but not least: nothing is 100% secure, and SSL isn't either. Whilst it adds a very powerful security layer to your website, SSL can't guarantee full protection.
Example: if the computer of your visitor is infected with a virus: SSL cannot protect them, maybe the virus can record what they type on their keyboard or even watch their screen; SSL only protects the data that is exchanged over the internet between your website and your visitors, but it does not protect data on your computer. SSL greatly enhances security and privacy, but it does not replace security software like an anti-virus scanner, it does not replace common sense, you still have to be careful about what you do and what devices/networks you use, it does not replace the need for strong and powerful passwords nor the need to use different passwords on all websites you use and it cannot, for example, protect you against hacks through software bugs. SSL isn't perfect, but it helps protect against a lot of nasty attacks that are fairly easy to perform with widely available hacking tools. - Ok, now I'm very worried about the security of my website. Should I be?
- Yes and no. Usually not, there's no reason to panic. Whilst the danger exists, a malicious hacker must first have access to your, or your visitors, connection with our servers in order to be able to eavesdrop. Under normal circumstances, for example when you're logged in on your secured home (WiFi) network, those risks are rather low. However, it is still advised to use SSL; especially because any of your visitors could, for example, at anytime be logged in to an insecure network; like a free WiFi hotspot or a (WiFi) connection at a university or public library with many users where it just takes one malicious person "sniffing" packets in order to be vulnerable. To ensure they're safe: SSL is recommended. The choice to use SSL is up to you. Generally, for a website where no sensitive data (such as passwords) are being exchanged with our servers: SSL is not strictly needed, but it is still highly recommended as SSL gives a boost to the security of your website and to the privacy of both yourself as your visitors. It also helps give your site a higher ranking in Google's search results, and most browsers (such as Chrome and Firefox) are starting to show warnings for websites that don't have SSL encryption enabled.
- Ok, i'm convinced. What does it cost?
- There are many types of SSL certificates. As of March 10th 2017, SSL Certificates are available free of charge to our clients. It is available in your cPanel. We currently only provide domain-validation based SSL certificates. It is currently not possible to purchase SSL Certificates through Gray Web Host for use outside of our own hosting platform. If your website is hosted with us, you get SSL Certificates completely free of charge!
If you're looking for SSL Certificates other than DV, such as OV or EV certificates: please contact our sales team or open a support ticket for pricing information. Please be aware that OV and EV certificates require extensive paperwork, and are usually only useful for businesses (whom wish to display a green browser bar.). - Do I have to buy an SSL Certificate with Gray Webhost?
- First of all, we provide Domain Validated (DV) SSL Certificates completely free of charge to all of our clients. Should you require another type of certificate, or for whatever reason you do not wish to use Let's Encrypt: no, you may also choose to purchase an SSL certificate elsewhere for any of your domains. Our control panel (cPanel) allows you to set it up. When purchasing an SSL certificate from another vendor, you do not have to pay anything extra to us. SSL support is included free of charge.
Our servers support all types of SSL Certificates, including wildcard, organization validated and EV certificates.
Keep in mind: SSL is optional, we do not force you to use it. But it is a very good idea to do so, especially since Google puts non-encrypted websites lower in its search engine results, and browsers such as FireFox and Chrome display warnings for non-HTTPS websites. - I have multiple domains, and want to buy multiple SSL certificates from you, is it possible?
- As a shared hosting client, you can protect all of your domains free of charge (DV) through the cPanel control panel. If you wish to purchase multiple OV or EV certificates, please contact support.
- Do you apply SSL anywhere?
- We do. Our website and our order system are secured by SSL; and so is our control panel. (cPanel)
Additionally, we offer the ability to connect with SSL encryption for the connection with our e-mail servers, webmail services and FTP.
We do our utmost best to provide you with the most secure connection to our services as reasonably possible.