[homerguy69]

Sweet, this is basically want Lets Encrypt wanted, make the market go towards this free SSL model.

[Nadya]

Companies who aren't in the business of selling TLS [0] certs themselves have little excuse to not offer free TLS via Let's Encrypt. It's an advantage over any competitors who haven't set that process up.

If your company does hosting - your company should provide TLS certs via Let's Encrypt automatically.

[0] Can we start dropping the SSL part now? Generally SSL v2/v3 is disabled so it is all over TLS anyway.

[RKearney]

> Can we start dropping the SSL part now? Generally SSL v2/v3 is disabled so it is all over TLS anyway.

It's the same certificate though. So can we start calling them X.509 certs which is more proper than SSL or TLS cert?

[nailer]

A bunch of folks have started calling the ones used for websites 'https certs' since 'https' actually appears in the browser UI and 'tls/ssl' is unwieldy.

[user5994461]

> If your company does hosting - your company should provide TLS certs via Let's Encrypt automatically.

Correction: As part of the paid plan.

Why give for free sometimes you can charge money for.

[JoshTriplett]

If you have a free plan at all, then the only reason TLS should not be a paid feature would be if you intentionally want to position the free plan as "don't take this seriously because you can't build anything production-quality on it".

[JoshTriplett]

> If you have a free plan at all, then the only reason TLS should not be a paid feature would be if you intentionally want to position the free plan as "don't take this seriously because you can't build anything production-quality on it".

I only just now noticed a rather serious typo there, making that sentence confusing. Should have said "the only reason TLS should be a paid feature", which fits with the rest of the sentence.

[nsgi]

There are ways of doing that without sacrificing security. Making TLS a paid-only feature makes no more sense than making CSRF protection a paid-only feature.

[hamandcheese]

On Heroku, TLS is enabled if you use the *.herokuapp.com domain, even on free plans.

So really they are charging you if you need a custom domain and security (i.e. Something most businesses do need and most hobbies don't).

Seems a like a reasonable and fair way to segment their market to me.

[user5994461]

That makes sense for a hosting service. A lot of them works that way. Hosting a static free blog doesn't need TLS.

[icebraining]

Considering the amount of crap ISPs have been known to inject into websites, I disagree. TLS isn't just for encryption, it also provides data integrity.

[Godel_unicode]

This is the correct answer. Use this reasoning.

[IgorPartola]

Yes it does. Stop spreading this misinformation because it is dangerous. Everything should be encrypted. I don't want people knowing that I'm reading your blog or what on it I am reading.

[Jach]

Now who's spreading misinformation? HTTPS doesn't protect the fact you're reading a blog (the IP of the server will be observed, and typically the server name through the cert itself) and while one can't prove which URLs of the server you visited one can infer based on the amount of traffic sent.

[JoshTriplett]

> Hosting a static free blog doesn't need TLS.

Many kinds of static content need TLS, including protection from MITM and protection from eavesdroppers. Static doesn't mean "not sensitive". (Leaving aside the reasonable presumption today that all content is potentially sensitive.)

[Nadya]

Because your competitors will do so and the paid plan should be to paying for bandwidth or storage space, not TLS. Now you just lost your lunch to competitors who aren't trying to nickle and dime their customers.

>Hosting a static free blog doesn't need TLS.

Completely wrong, although others explained why already.