https admin tax

From IndieWeb
Jump to: navigation, search


https admin tax is the additional amount of regular administrative work you or your web host must do to keep your https site running and available even if you make no other changes to your site and want to just leave it alone.

If you run a website, you should still strongly consider adding https support for all the reasons in https#Why. This page is here to raise awareness of the additional work required to configure and maintain the https certificate, and real additional site outage (longevity) risks, as documented by real world examples of failures.

Fragility

Due to this admin tax, making your website https-only in particular makes it more fragile, as shown by numerous indieweb examples where people have forgotten or neglected to do the administrative work update their certificates, thus breaking their websites and making them inaccessible even over plain http since they hardcoded their websites to always redirect to the https-only version of pages. HSTS can add additional fragility here due to the time it makes you wait to make changes to the http(s) setup of your site including redirects.

Search IndieWeb chat for "certificate expired" or "cert expired" for examples of failure to pay this admin tax.

https-only site-outage examples:

https outage examples where the site was still available using plain http:

FAQ

Does letsencypt solve this

"But letsencrypt forces you to automate certificate renewal so there's no problem then!"

  • Any automation can break, and thus needs monitoring and maintenance. Using letsencrypt helps reduce https admin tax, but does not eliminate it. You must still:
    • make sure whatever cert renewal automation you setup keeps working,
    • monitor it to know when it breaks,
    • repair it when it breaks, and
    • reimplement it when you migrate your site to another server

But domain registration is also required

Domain registration is another required periodic admin tax.

However, in practice, sites fail (go offline) due to expired certificates much more often than expired domain names. This can be verified by the examples above (and searching IndieWeb chat channels) and was summarized in:

See Also

  • https
  • admin tax
  • letsencrypt
  • longevity
  • If you use HSTS and fail to renew your certificate, visitors are unable to even try to view your site by adding an exception for your expired certificate.