Earlier this week I found my friend Nik Molnar's article about a new Azure Website extension to enable free SSL certificates, "Let's Encrypt" Azure Web Apps the Free and Easy Way. I have not had a chance to try this out, but free SSL support is a very significant new feature.
Over the past year it become apparent all sites need to implement SSL. Both HTTP/2 and Service Workers require SSL. For years cellular carriers required SSL for Web Sockets. Search Engines are using SSL as a major signal in search engine optimizations. These are four big reasons why you need to go SSL now even for a mom and pop business card site.
Many new web standards are requiring SSL before a browser will support them. This seems to be a trend as the W3C is concerned about user privacy and security. Requiring SSL is a way to reduce our customers risks using richer features like Service Workers and Notifications.
I remember back in the late 90s I would build an E-commerce application and need to add SSL. Initially you could only go to Network Solutions for an SSL certificate and they were expensive. Thawte opened up and certificates became slightly more affordable. But more than certificate cost, there was an application process. The process took several days and more involved than getting a driver's license.
I recall the headaches we experienced when I put my mother's online doll store together. The process required some sort of business license, which my mother had. Unfortunately the lady reviewing the documents did not approve of the municipalities business license and rejected the application. After a 10 days we finally worked things out, I think I found a new certificate provider, but I never did business with that company again.
As time marched on the process simplified, and pricing came down. Certificate providers started offering ancillary services with certificates in efforts to bump up their profit margins. Technology also created stronger encryptions, etc. At the heart of the matter was the encryption and I knew generating a certificate was a very low impact technical process. For years I wondered why no free certificate issuers were available.
Today there are many choices of free certificates, very good news. This means anyone should be able to implement SSL without prohibitive expense. I worked with many small businesses in my career and know they cannot justify $50-200/year for SSL.
Back in those early days you could only host a single domain per IP address if SSL was used, but HTTP has improved, eliminating this limitation. IP addresses are expensive because there is a finite set of addresses available. Today any web server supporting SNI can now 'multiplex' SSL certificated per IP address, much like you host multiple domains per IP address.
SNI allows SSL to work like domains. Multiple host headers (domain names) can point to the same web site on the same IP address. The same IP address also supports hosting multiple sites across multiple domains. The web server, IIS or Apache for example, manages the request routing. This makes hosting web sites much more affordable by enabling shared hosting.
All these advances in SSL technology have been great. The problem is Azure App Services (Web Sites) were sort of stuck with an old SSL mindset, expensive. $9 a month expense, which is more than the typical small business pays to host their site. This cost barrier meant small businesses could not leverage the power of Azure web sites and were much better off using a small virtual machine.
The new Azure App Service SSL extension breaks this barrier down. Now web sites of all sizes can create a free certificate and apply it to their site. The process is not the simplest process yet. Once I go through the process a few times I will post more details.
I am excited about free SSL support. This opens up the higher level of security to smaller and medium sized businesses. Free SSL support also allows me as a developer to be able to test newer technologies like service workers on real devices. Since Google announced a correlation between SEO and SSL I have been worried many small businesses would be penalized. For example, I wanted to upgrade this site to SSL, but also wanted to move from the VM to App Services. The Azure SSL cost was prohibitive to me, but not now. My time has not allowed me to move yet, but an upgrade is in the near future and it will be SSL encrypted!
Next App Services needs to add HTTP/2 support. This will happen once they upgrade the underlying operating system to Server 2016, which will offer HTTP/2 support in its network stack. Service Workers and HTTP/2 offer more significant technology upgrades we sorely need.
If you have a web site or service hosted in Azure App Services you need to look at the new SSL extension. SSL certificates can now be created for free, without much hassle. SSL support enables you to encrypt your site, achieve better SEO and enable you to take advantage of new technologies requiring SSL.