Delivering solid user friendly software solutions since the dawn of time.

To SSL or not to SSL

Categories: IIS mojoPortal Security

To SSL or not to SSL, that is the question.
We are not running a bank, so my business doesn't need that. Does it?

Ano 2013, still millions of sites on the internet are running insecurely over http port 80 and who can blame them. Switching your site to https puts more pressure on your web server, makes your ranking in the SERP drop and on top of that it is a pain to get a good certificate working. Or so they say...

Graph of website hits after switching to ssl

So, let's check this out.

  1. yes, you will lose money while transfering serp ranking, it takes on average around one and a half month to transfer it. More of an issue is the fact that adsense doens't support https... yes dumb very dumb... you can change the protocol but then you do not comply with the agreement... yes, can't understand this one either. 
  2. difference in speed is only a few miliseconds, so no problem there
  3. yes, it is not easy to set up correctly when it is your first time

And last but not least, yes you should put your whole site on ssl. Well actually tls. And this means everything, not just parts of it or your users will get sslstripped away... so educate your users.

And then my checklist, the reason I am posting it here.

Testing with a self-signed certificate


  • Basic : one ip, one domain
  • Wildcard : one ip, one domain + subdomains
  • SAN aka UCC : one ip, multiple domains
  • SNI : multiple certificates on one ip (eg. not supported on IE for XP)

Requesting a certificate

  • Lot of personal details + calls
  • DNS records should match your personal details 

Import certificate and trust intermediate certificates

  • Especially Firefox doesn't like it, if you forget to trust the intermediates

IIS Settings

  • Bindings
  • Use an astriks * in front of the friendly name, so you can use the GUI to set the hostnames 
  • OR use appcmd set site /site.name:"<IISSiteName>" /+bindings. [protocol='https',bindingInformation='*:443:<hostHeaderValue>']
  • Rewrite with 301 (do not use 302)
  • Add strict security headers for HTST, and use chrome://net-internals to check if they are correct. (Strict-Transport-Security / max-age=16070400; includeSubDomains)

Additional settings for mojoPortal

  • SSLAvailable on true
  • SSLIsRequiredByWebserver (web.config) & Require SSL on All Pages (admin ui -> will update cannonical)
  • SSLCookies in two places + different cookie name
  • Robots file for ssl, you probably need same as default one
  • Test also for page that doesn't exists
  • If using paypal, make sure your update your url protocols

Update your content

  • <link rel='canonical' href='https...
  • using // for img and javascript
  • update your own links to https where posible
  • hopefully you don't use third party that doesn't support https
  • recommend and social links: point an og:url meta tag for both URLs to the https one

Update your webmaster tools

  • http and https are seen as different sites

more on https:

update (aug 2014)

Today google announced to take https into account for their search ranking. I hope they also do something about the adsense, but at least it is a step in the right direction. Read more at http://googlewebmastercentral.blogspot.be/2014/08/https-as-ranking-signal.html.