https admin tax
https admin tax is the additional amount of regular administrative work you or your web host must do to keep your https site running and available even if you make no other changes to your site and want to just leave it alone.
If you run a website, you should still strongly consider adding https support for all the reasons in https#Why. This page is here to raise awareness of the additional work required to configure and maintain the https certificate, and real additional site outage (longevity) risks, as documented by real world examples of failures.
Due to this admin tax, making your website https-only in particular makes it more fragile, as shown by numerous indieweb examples where people have forgotten or neglected to do the administrative work update their certificates, thus breaking their websites and making them inaccessible even over plain http since they hardcoded their websites to always redirect to the https-only version of pages. HSTS can add additional fragility here due to the time it makes you wait to make changes to the http(s) setup of your site including redirects.
Search IndieWeb chat for "certificate expired" or "cert expired" for examples of failure to pay this admin tax.
https-only site-outage examples:
- 2018-01-17 benwerd.com per https://chat.indieweb.org/dev/2018-01-17/1516209430591900
- 2018-01-12 glennjones.net per https://chat.indieweb.org/dev/2018-01-12/1515783317246500
- 2017-07-20 openidconnect.net per https://chat.indieweb.org/dev/2017-07-30/1501441404233000
- 2017-04-23 silo.pub per https://chat.indieweb.org/2017-04-23/1492954446036000
- 2017-04-17 Kongaloosh(domain?) per https://chat.indieweb.org/2017-07-14#t1500064460905000
aaronpk: oh nooess Kongaloosh your SSL cert expired!
- 2016-09-08 aaronparecki.com per https://chat.indieweb.org/dev/2016-09-08/1473340694939000
- 2016-07-19 woodwind.xyz per https://chat.indieweb.org/2016-07-19/1468949368459000
https outage examples where the site was still available using plain http:
- 2017-05-25 tantek.com per https://chat.indieweb.org/dev/2017-05-25/1495744011090000
- self-signed cert used only for site admin auth / posting UI.
Does letsencypt solve this
"But letsencrypt forces you to automate certificate renewal so there's no problem then!"
- Any automation can break, and thus needs monitoring and maintenance. Using letsencrypt helps reduce https admin tax, but does not eliminate it. You must still:
- make sure whatever cert renewal automation you setup keeps working,
- monitor it to know when it breaks,
- repair it when it breaks, and
- reimplement it when you migrate your site to another server
But domain registration is also required
Domain registration is another required periodic admin tax.
However, in practice, sites fail (go offline) due to expired certificates much more often than expired domain names. This can be verified by the examples above (and searching IndieWeb chat channels) and was summarized in:
Since getting into #indieweb stuff, I’ve seen way more sites go down because of an expired HTTPS cert than expired domain registration.