If you are a new blogger or are struggling with a blogging issue, I might be able to help you.
Please send details of your problem to kp.nd.2008@gmail.com. Pl do not make generic queries (e.g. how can I start a blog or why am I not getting traffic on my blog). Please do not spam with many queries.

How to get SSL/ TLS certificate free for HTTPS security?

If you are a blogger or owner of a small business website, you need to have SSL certificate implemented on your website so that the website is protected by HTTPS protocol. However, you need not pay for it because a totally free and fully dependable SSL/ TLS certificate is available.

As a blogger or website owner you would know that the world wide web (www) runs using a protocol called Hyper Text Transfer Protocol or HTTP. So, all websites must have an HTTP declaration in their URL.

But it is possible for miscreants to 'phish' or  present a shady website as a genuine website. The HTTP protocol is not able to check such illegal actions. Moreover, when the data is being transported between your website server and the user's internet browser, there are 'sniffer' programs that can read the data. So, there is more and more stress on making the protocol secure. Thus came HTTPS (S in the abbreviation represents 'secure'). Now a majority of websites and blogs have this prefix in their URLs.

How HTTPS works

HTTPS simply denotes that your website has been verified to be 'secure' by a certification authority. There are many levels of HTTPS security, and I will explain them shortly. 

When you type the web address of a reliable bank site, it shows the entire ID of the website given in full, with a lock displayed or secure written before the URL. Now, use another website with HTTPS (not a bank or such high security website) and you find a lock before the URL. Now type a blog address that you feel might not be behind HTTPS security. Non-HTTPS sites do not have a lock and your browser may warn you that the site is not secure. Let me give the URL of a blog created just for showing you this: non-HTTPS blog. (When you click on the link, it may take you to the HTTPS enabled blog. Go to the address bar and replace HTTPS with HTTP to go to the unsecure version.)

Must get a SSL or TLS certificate for HTTPS security

All websites with a lock preceding the URL are secure to the extent that due to the HTTPS protocol, the communication between the user's browser and the website server is encrypted and thus secure. In the case of banks, credit cards etc, the certification authority does a lot of background checks regarding the trustworthiness of the website owner while in the case of the lowest level of security certificate, there is no such check.  So, a lower level of HTTPS security does not ensure that the website is not a fake one or its owner is not a fraudster/ criminal.

How HTTPS protocol comes into picture is like this: When a user enters a URL on his browser, communication protocols send a request to the server of the target website, asking for the information on the site. In case of HTTPS-enabled sites, there is a security certificate, called SSL (Secure Sockets Layer) or TLS (Transport Layer Security), on the site server. The site sends this certificate to the browser, and the browser checks whether the certificate is trust-worthy. After verification of the certificate, there is 'handshake' between the server and the browser - now all the data flow between the two ends during that session happens through encryption.

Is HTTPS security that important for bloggers and website owners?

Having HTTPS implemented on a website means the communication between the user's browser and the website will not be prone to misuse by miscreants.

In addition, with encrypted communication, those lurking to snoop into the sessions to know user behavior or data cannot succeed. That includes not only criminals and miscreants but also competitors and those wanting to steal data. It would also not be possible for others to inject ads or malicious code into secure communication.

For businesses and small website owners and bloggers alike, HTTPS has many advantages besides making the site more secure. When the site is seen as secure, visitors are likely to be more confident in viewing the content, clicking on links and doing transactions on the site. Being technologically up-to-date also gives a positive signal to the visitors about seriousness and professionalism of the website owner/ business/ blogger.

Internet browsers have started deprecating non-HTTP sites. When a non-STTPS website is opened, the browser warns that it is not secure. Similarly, when an HTTPS-enabled website has a defective certificate, the site is labeled insucure. Thus, not having HTTPS makes the site/ blog suspect in the eyes of the visitor. 

How HTTPS works in reality

It is natural that the credibility gained due to HTTPS implementation puts such websites higher in the eyes of search engines. In fact, Google has publicly stated that HTTPS is a quality signal for search ranking.

Now that over 80% of websites have implemented HTTPS, the websites/blogs without HTTPS raise alarm.  Major free blogging platforms have implemented HTTPS on all their blogs. So, by default, blogs with .blogspot.com, .wordpress.com and .tumblr.com domain endings are behind HTTPS security layer. Blogging platform Blogger also allows mapped domains (without blogspot in the URL) to have this security.  Your social networking accounts come with HTTPS because Facebook, Google, Twitter, etc have implemented it across their platforms. 

How does HTTPS work against phishing and sniffing?

As said above, there are different types of certificates issues by CAs to cater to different levels of security.  The CA has to carry out validations for the website and the website owner, as follows: 
  • Domain-Control Validation (DV): It only verifies the domain and is done for basic level of SSL..
  • Organization Validation: It also verifies the identity of the owner organization behind the domain.
  • Extended Validation: It does the strongest, highly rigorous, checks of the owner's identity.
Thus, if an HTTPS enabled site has SSL/ TLS certificate with only domain validation, the domain can be trusted as genuine but its owner could himself be of doubtful credentials. So, sites with HTTPS certification of the first type could still be malicious. Moreover, criminals could use HTTPS-enabled websites, such as blogs, where third-party content is allowed. There could also be rogue or corrupted certificates getting issued or the same certificate getting used for a good and many bad sites.

However, if you are not doing a monetary or high-security transaction on a website, HTTPS itself is first level of assurance that you are using a safe site (yes, with some chances of phishing). For confidential transactions, you must be sure that the website uses a higher level of certification - seen with padlock and company's name before the URL. 

How do I get free SSL/ TLS certificate and which is the best free certificate available?

It is high time to give your blog or website at least the basic HTTPS security if it still lacks it. If your blog is a self-hosted blog or you own a website, you must get HTTPS certificate without losing time.

HTTPS certificate is given by certification authorities or CAs. You will have to check whether your web host also doubles up as a CA. Initially, most web hosts were charging heavily for providing HTTPS security, but now they have learnt to give at least the basic security free. Many web hosts are now implementing basic HTTPS on their clients' websites free of cost.  However,  read the fine print. The certificate may be free only for the first year and will need to be updated when you renew the web hosting plan.

There is an easy way to get SSL/ TLS certification for free. Lets Encrypt, a free certification authority supported by some top companies, provides it free to websites and self-hosted blogs. The certificate needs to be updated regularly to keep it updated. LetsEncrypt has announced that it has issued more than a billion SSL/ TLS certificates in about 2 years of its inception.

I have no hesitation in saying that for general purposes LetsEncrypt is the best free SSL/ TLS  certificate. 

Which is the best free SSL or TSL certifficate?

However, if your website/ blog offers e-commerce services or you provide premium services through registration, please buy a higher level of certificate from a CA (e.g. Comodo, Symantec, GoDaddy, DigiCert) and implement it through your web host.