No longer cost-prohibitive

Since the beginning of SSL, certificates have come with a cost. Typically, this was an annual cost. In the past (around 15 years ago), certificates typically cost between $100 and $500 a year. You can think about it like an annual business license. In fact, to complete a certificate request, you often needed a proof of business or organization. The issuing process was also time-prohibitive. It often took 3–14 days to get a certificate. The issuing authority had a staff that evaluated every certificate request and the accompanying paperwork. A very archaic process for a digital platform.

While enterprises do not blink at a $100-a-year fee for their web site, the average small business does. There are thousands of small businesses for every enterprise. As well as traditional small businesses, there are millions of businesses, blogs, forums, and other entities that make little to no revenue from their site. They can barely justify their hosting overhead. HTTPS is just not viable at those rates.

Another cost you might not think about is IP addresses. In the beginning, SSL required a dedicated IP address. Despite millions of possible IP addresses, there were not enough, not even close. The limited supply of IP addresses also raised the price of HTTPS. This could have added another $100 or more a year to the cost of hosting a site. Today, this has changed. Now a certificate maps to a domain. This eliminates this tax.

Today, HTTPS requirements and costs have all relaxed. There are many low-cost certificate providers. In fact, you can obtain a certificate for free from Amazon or Let's Encrypt (https://letsencrypt.org). The latest stats Let's Encrypt shares are over 50 million certificates issued.

Up to this point, I have referred to SSL, but that name is not exactly correct anymore. Transport Layer Security (TLS) is the proper term used today. The security protocol continues to evolve over time. SSL was originally created by Netscape, which is now owned by AOL.

To avoid potential legal issues, TLS was first drafted in 1999 in RFC 2246 (see https://tools.ietf.org/html/rfc2246). The primary intent behind the name change was to separate the encryption protocol from Netscape and make it more open and free.

SSL and TLS are interchangeable in general conversation as most people will understand what you mean.

Which protocol version you implement is limited by your server platform. Because TLS 1.2 is very well established at this point, it is difficult to find a server platform or browser that does not support version 1.2. But Qualys has some advice:

Fortunately, when you create a TLS certificate, the protocol version is handled for you. Later in this chapter, I will go through the steps to create a certificate in AWS and Let's Encrypt, both free services.