[sturgill]

AWS certificates are free. Cloudflare will also put SSL in front of your origin for free.

So if you’re using AWS you get it for free. Or you can slap CloudFront or Cloudflare in front of your origin.

I think the barrier is low enough that I SSL all the things (including my small side projects).

[tbyehl]

> Cloudflare will also put SSL in front of your origin for free.

Used to be everyone complained about CF putting SSL in front of HTTP origins.

However, CF can also issue a CF-signed certificate with a stupid long expiration for your origins[1] and validate it. This is how I fully SSL many of the things while avoiding potential headaches with LE / ACME. Combine with Authenticated Origin Pulls[2] and firewalling to CF's IP ranges[3] for further security.

Of course, that still leaves CF doing a MITM on all my things.

[1] https://blog.cloudflare.com/cloudflare-ca-encryption-origin/

[2] https://blog.cloudflare.com/protecting-the-origin-with-tls-a...

[3] https://www.cloudflare.com/ips/

[mattferderer]

Azure just released free SSLs as well after years of feedback - https://docs.microsoft.com/en-us/azure/app-service/configure...

Static hosts like Netlify & GitHub also enable free SSLs. The barrier is so low most people trip over it.

I am sure there are still very unique edge cases though. If I had one of those edge cases I would sit down & really weigh the pros & cons though of not using HTTPS. I would not take it lightly.

[hitpointdrew]

> AWS certificates are free.

"Free", but you can only use them on AWS stuff. AWS makes it nice and easy (and does a bunch behind the scenes for you). Part of that behind-the-scenes is that they have control of the private key on their side. You want to use the AWS generated cert locally, or on another provider, too bad.

[sturgill]

You’re right, but it’s pretty simple to slap CloudFront (or Cloudflare) ahead of those origins if you need to in a pinch. I don’t work for Amazon (and have no dog in the fight) but I am a fan of AWS. And if you’re ever using AWS for anything, there’s no reason to _not_ use their free certs.

Someone else mentioned Azure having a similar offering (I’ve never played with Azure so I can’t speak to it). And if 2/3 of the providers offer it, I’d imagine GCP will at some point as well.

I love how easy it’s becoming to launch SSL. LetsEncrypt did a lot to make it mainstream. I’ve never used LE but I am grateful for their impact on our industry.

[heydabop]

> I think the barrier is low enough that I SSL all the things (including my small side projects).

Same here. If you have a domain then you should have a cert, it's not that hard today.

My wife wanted a website that's pictures of our dog as a joke, right now it's a single img tag. The second thing I did after that was getting an HTTPS cert and forcing redirection.