My hosting company also charges (quite a bit more) so I've bookmarked this CSS Tricks article to read this weekend and this apparently free method from the comments.
posted by humph at 6:22 AM on September 30, 2017

I added SSL to my site a couple of months ago. The blog post is specific to my host (Webfaction), but might still be helpful. I found another certificate provider to be easier to install and configure than Lets Encrypt. Let's Encrypt require you to renew every 90 days. I decided paying $15 for a 3-year certificate was a better option.
posted by COD at 6:42 AM on September 30, 2017 [1 favorite]

I upgraded several sites to https mid-August and one of them suffered a 50% loss in traffic in the following days due to Google massively dereferencing our http pages. It's (almost) back to normal now, but it took several weeks for Google to reindex correctly the pages as https. Please read carefully about http->https conversion tips before you start, particularly if you use a CMS.
posted by elgilito at 6:49 AM on September 30, 2017 [1 favorite]

You will notice at the top of this site by the URL bar and the favicon an upside-down exclamation mark in a circle. Click on this and it will tell you that this site (and any other non-https site) is not secure. This is one of many articles telling you why you should switch. I did it. It cost me nothing but took about an hour's work. I have not checked my Google ranking but I have no doubt that, in the long-term, having https will improve it. Sooner or later all legit sites will be https.
posted by TheRaven at 7:13 AM on September 30, 2017

If you have no form fields in your websites, then switching to SSL has no point, purpose or function. Literally more trouble than it's worth.
posted by humboldt32 at 8:19 AM on September 30, 2017 [1 favorite]

Is there any list of reasons _not_ to use SSL certificates, other than monetary cost? Does it make the web slower or more resource-intensive, for example (obviously a little bit), does it make it less accessible to some people as publishers and readers, etc.?
posted by amtho at 8:31 AM on September 30, 2017

Is there any list of reasons _not_ to use SSL certificates, other than monetary cost? Does it make the web slower or more resource-intensive, for example (obviously a little bit), does it make it less accessible to some people as publishers and readers, etc.?

Maybe back in the '90s when CPU power wasn't both abundant and cheap.

There's no good reason in 2017 not to encrypt absolutely everything. In fact, with national governments slowly becoming more adversarial it's exactly why we should be encrypting everything.
posted by Talez at 8:44 AM on September 30, 2017 [3 favorites]

What about other concerns, not just speed/power?
posted by amtho at 9:29 AM on September 30, 2017

If you have no form fields in your websites, then switching to SSL has no point, purpose or function. Literally more trouble than it's worth.

This is emphatically not true. For one, empirically https is faster in many browser/server combinations. And sites with https receive a ranking boost in search results.

But more importantly, a page without forms is still sending data worthy of encryption to the user, even if the user is not sending anything back. By serving a site in the clear, you're making it easier for people to eavesdrop on the conversation, even if it's one way.

This is why Chrome 62 will give a "Not Secure" warning on all http pages viewed in Incognito mode (whether they have input fields or not!). That change will be coming to regular browsing (i.e. outside Incognito mode) too:

When users browse Chrome with Incognito mode, they likely have increased expectations of privacy. However, HTTP browsing is not private to others on the network, so in version 62 Chrome will also warn users when visiting an HTTP page in Incognito mode. Eventually, we plan to show the “Not secure” warning for all HTTP pages, even outside Incognito mode. We will publish updates as we approach future releases, but don’t wait to get started moving to HTTPS!

More details and context here.
posted by caek at 9:47 AM on September 30, 2017 [6 favorites]

Also one further point following up on caek's very good ones: HTTP pages don't have integrity, so e.g. bus or airport wifi points can and will inject advertisements and other crap into your website unless it is HTTPS.
posted by katrielalex at 10:53 AM on September 30, 2017 [4 favorites]

Is there any list of reasons _not_ to use SSL certificates, other than monetary cost? Does it make the web slower or more resource-intensive, for example (obviously a little bit), does it make it less accessible to some people as publishers and readers, etc.?

I'm on an older (some would say ancient) system, and while there is a fairly up-to-date version/port of Firefox available for my specific OS, it's so slow that unless I need the up-to-date security for financial transactions (or to visit a few favorite sites that simply do not load properly on older browsers due to javascript or https issues), I usually just use much older versions of Safari or related browsers.

However, I am now (especially in the last six months or so, which may be related to this google requirement) constantly being asked to approve https connections in my old Safari, or denied them altogether. In many instances, I simply do not bother visiting the site if I cannot even get there by approving an https connection. Which leads me to ask: why is it that in an older Safari browser such as mine, some https-requiring sites ask me to approve the connection (which allows me to visit the site after approving the connection), while others do not do so and simply will not load the page at all? And is there any way around this so that I can in fact access the https-requiring page in my old browser?
posted by tenderly at 3:26 PM on October 1, 2017

Which leads me to ask: why is it that in an older Safari browser such as mine, some https-requiring sites ask me to approve the connection (which allows me to visit the site after approving the connection), while others do not do so and simply will not load the page at all?

It’s probably because your OS is so old that it no longer receives updates & so it doesn't know about the new SSL root certificates (nor does it know about SSL root certificates that have been cancelled because they've been compromised & it still trusts those absolutely).

The root certificates in your OS are what Safari uses to check the authenticity of the certificates shown to it by https websites. If it doesn't have a copy of the root certificate used to sign an https certificate, then it has no way to check its authenticity.

The reason Firefox works is because Firefox ignores the OS root certificates & includes it’s own set with the browser, so if you keep Firefox up to date then it has an up to date list of root certificates.

And is there any way around this so that I can in fact access the https-requiring page in my old browser?

Probably. Honestly though, you’re exposing your machine to drive-by hacking by malicious javascript ads and the like through using such an out of date browser. It's quite likely that the only reason Firefox is slow is because the user data files have become very large & fragmented. You can fix this though!

Go to "about:support" and click on "refresh firefox" up at top right. See if that helps.

(Also, the next release of firefox - 59 - is supposed to be noticeably faster.)

If you have no form fields in your websites, then switching to SSL has no point, purpose or function. Literally more trouble than it's worth.

This is not true. By switching to SSL you’re protecting your users from having the web pages they receive from you intercepted en route and edited by entities that do not have their best interests at heart. In the modern world this is no longer a purely academic concern.
posted by pharm at 2:14 AM on October 5, 2017