I noticed a while ago that Facebook stopped showing links to our blog and site. They are all marked "403 Forbidden." Nice. Then it got worse, as Google decided to make an update to Chrome that marks any site not using https as insecure.
So what exactly is "HTTPS"? The internet functions on a communication protocol called HTTP—HyperText Transfer Protocol. "HyperText" is an old term for the formatted text you read online all the time now. The "S" on the end is for "Secure" and indicates that the connection between your device and the server is encrypted. That basically means that the two devices are speaking in a code to prevent others from listening in.
Now, HTTPS is important, I'm not denying that. In fact, for many sites out there, it's critical. I have never shopped online with any site that didn't have it. My problem is that being secure is typically expensive. Huge mega-corporations with billions of dollars (ahem, like Google and Facebook) are forcing us, as a small business, to pay roughly $75-100 a year for a security certificate that we don't need... per site... yes, for every Internet domain we own. There are cheaper options, but they take a lot more time and effort to setup.
HTTPS has many benefits, but not every site needs it. Lost Luggage Studios does not maintain our own store. We don't store your credit card information. Actually, to be totally honest, the only info we ever get is your PayPal account's email address; and we only get that if you donate or buy software. People purchasing our books through Amazon, Smashwords, or other retailers? We see nothing but a number on a sales chart.
We store no passwords, maintain no accounts... in short, our site (like many, many others) has zero current need for HTTPS.
And besides, all those high-profile hacks you see with your personal info getting stolen left and right? Yeah, that was done over HTTPS connections. Didn't help you much, did it? You see, you—as an individual sitting in a coffee shop or airport on free wifi—are not the primary target. The server is the target. No hacker wants to expend effort to steal one person's information. They want to get it in bulk. Attacking the server that stores all that info is the most efficient approach. Your single connection to your bank? Small potatoes.
I truly believe this is all just fear-mongering. Big companies line their pockets with the cash they get from selling security certificates. Little companies, who struggle constantly, have to keep paying more and more just to stay afloat.
Lost Luggage Studios is certainly no cash cow. In fact, since our founding in 2008, I think our best year had a loss of $300. But we stay open because it's our creative outlet, and we love what we do. But paying for hosting costs a lot, and paying for security certificates we don't need will cost us even more.
The simple fact is that these companies are pushing SSL and HTTPS by making you afraid. It won't be long before any HTTP site is marked as dangerous—not just insecure, but dangerous.
Our Last Straw
I mean no disrespect, but it all boils down to this: you probably don't understand what I'm talking about, and most likely have no idea what HTTP, HTTPS, SSL, or any of this means.
And that's okay.
But having your web browser tell you that my site is "Forbidden" or "Insecure" is unfair, because we collect no information about you at all. Why does it matter if I choose not to spend $300-$400 a year just to get a little green "secure" icon? It might give you a warm, fuzzy, safe feeling, but it accomplishes little else. The software world is even worse—digital signature security certificates would cost us about $400 for every program we release... every year. Ouch.
Small businesses are already hard enough to fund and run. This is just one more straw on this camel's back.
So while we're losing $300-500 a year and writing the business off as a loss on our taxes, Google and Facebook and all the other huge companies doing this to every other company out there... yeah, they are all rolling around in their billions of dollars. I can't see this as anything other than a clear-cut case of the 1% vs the 99%. We hoped to form our own little company to put out great products and—hopefully some day—earn enough money to sustain ourselves... what utter audacity.
So... what to do?
There are free options, like Let's Encrypt, which I use on some sites that I host out of my home network. But GoDaddy hosts most of our sites, and they provide no interface to use Let's Encrypt. Why should they? They sell SSL security certificates. Providing an easy way to interface with any other certificate authority (especially a free one) would cannibalize their own business. Issuing and updating these certificates is trivial. I can generate a simple self-signed one in under a minute, with no more than three commands on a Linux machine. I'm sure they have it scripted. If not, they're idiots. So it's all profit for them.
Our only choice in this matter is simple: move.
We need to have one of these security certificates, but we already have chronically negative income (I call it "outcome"). So I'll kill two cash cows with one stone.
Moving To My Server
A few weeks ago, I moved Lost Luggage Studios and all our other sub-sites to my server, hosted in my home, on my own internet connection. I generated free Let's Encrypt SSL certificates for all of our sites. Now you should see a happy little "secure" icon in the address bar (unless I screwed up certain pages here and there).
TL;DR: The end results of this move are:
- Facebook should stop hiding / censoring our blog posts, so you can stay up to date on all our silliness.
- Google should stop punishing us in their search results, so people can actually find us again.
- Our website will most likely run faster (since I built a beast of a server here).
- Our website will most likely go down more often (power and internet in Maine can be spotty, especially in winter months).
- GoDaddy will lose a few hundred dollars a year from us. (I maintain that this is their own damn fault for never rewarding loyalty)
- I'll toast the successful move with a cold, dark beer.
Quite frankly, the only real loser in all of this is GoDaddy, and we all knew #6 was going to happen anyway.