https admin tax

This article is a stub. You can help the IndieWeb wiki by expanding it.

https admin tax is the additional amount of regular administrative work you or your web host must do to keep your https site running and available even if you make no other changes to your site and want to just leave it alone.

If you run a website, you should still strongly consider adding https support for all the reasons in https#Why. This page is here to raise awareness of the additional work required to configure and maintain the https certificate, and real additional site outage (longevity) risks, as documented by real world examples of failures.

Fragility

Due to this admin tax, making your website https-only in particular makes it more fragile, as shown by numerous indieweb examples where people have forgotten or neglected to do the administrative work update their certificates, thus breaking their websites and making them inaccessible even over plain http since they hardcoded their websites to always redirect to the https-only version of pages. HSTS can add additional fragility here due to the time it makes you wait to make changes to the http(s) setup of your site including redirects.

Search IndieWeb chat for "certificate expired" or "cert expired" for examples of failure to pay this admin tax.

https-only site-outage examples:

• 2018-01-17 benwerd.com per https://chat.indieweb.org/dev/2018-01-17/1516209430591900
• 2018-01-12 glennjones.net per https://chat.indieweb.org/dev/2018-01-12/1515783317246500
• 2017-07-20 openidconnect.net per https://chat.indieweb.org/dev/2017-07-30/1501441404233000
• 2017-04-23 silo.pub per https://chat.indieweb.org/2017-04-23/1492954446036000
• 2017-04-17 Kongaloosh(domain?) per https://chat.indieweb.org/2017-07-14#t1500064460905000

  aaronpk: oh nooess Kongaloosh your SSL cert expired!

• 2016-09-08 aaronparecki.com per https://chat.indieweb.org/dev/2016-09-08/1473340694939000
• 2016-07-19 woodwind.xyz per https://chat.indieweb.org/2016-07-19/1468949368459000
• ...

https outage examples where the site was still available using plain http:

• 2017-05-25 tantek.com per https://chat.indieweb.org/dev/2017-05-25/1495744011090000
  • self-signed cert used only for site admin auth / posting UI.
• ...

FAQ

Does letsencypt solve this

"But letsencrypt forces you to automate certificate renewal so there's no problem then!"

• Any automation can break, and thus needs monitoring and maintenance. Using letsencrypt helps reduce https admin tax, but does not eliminate it. You must still:
  • make sure whatever cert renewal automation you setup keeps working,
  • monitor it to know when it breaks,
  • repair it when it breaks, and
  • reimplement it when you migrate your site to another server

But domain registration is also required

Domain registration is another required periodic admin tax.

However, in practice, sites fail (go offline) due to expired certificates much more often than expired domain names. This can be verified by the examples above (and searching IndieWeb chat channels) and was summarized in:

• https://twitter.com/kylewmahan/status/637351333436129280

  Since getting into #indieweb stuff, I’ve seen way more sites go down because of an expired HTTPS cert than expired domain registration.

See Also

• https
• admin tax
• letsencrypt
• longevity
• If you use HSTS and fail to renew your certificate, visitors are unable to even try to view your site by adding an exception for your expired certificate.