Banyan Theory  //  www.lightrailsites.com 888-258-0805

Whole-Site SSL

Use HTTPS on every page of your website

Whole-Site SSL is now available for $9/mo.

Haven’t You Always Used SSL?

Yes. Every insurance agency website we have ever built has used SSL on pages that collect personal information.

What’s New Then?

We now support HTTPS on every page using a custom SSL certificate for your domain.

What’s The Difference?

Until recently, all of the insurance agency websites we host have used HTTP for content pages and HTTPS for form pages, using a shared SSL certificate. With the Whole-Site SSL add-on, all of the pages on your website will use HTTPS.

Without Whole-Site SSL, your URLs will be similar to:

  • http://www.agency.com/auto-insurance
  • https://agency.agentform.com/auto-insurance/quote

With Whole-Site SSL, your URLs will be similar to:

  • https://www.agency.com/auto-insurance
  • https://www.agency.com/auto-insurance/quote

Why Not Use Shared SSL For All Pages?

While technically possible, this option is not ideal for branding and SEO. Website visitors expect to see your domain name in Google search results and in the address bar when they first come to your website.

Why Should I Care?

There are a few reasons to care about HTTPS everywhere:

  • Google recently announced that it now uses HTTPS as a ranking signal, meaning websites that use HTTPS on every page can get a slight ranking boost from Google.

  • HTTPS not only adds security—it also adds privacy. Tech-savvy people recognize this and may prefer to click on https links over http links.

  • Google Chrome, which is more than twice as popular as Internet Explorer in the US, will begin explicitly marking all non-HTTPS websites as non-secure.

  • Because the visitor is on the same origin throughout their visit, we can provide you with information about how a leads find your website, the pages they first land on, and the marketing campaigns that bring them.

Why Now?

Several factors influenced our decision, including Google’s recent announcements outlined above, as well as a new certificate authority called Let’s Encrypt, which allows certificate issuance and management to be automated.

Aren’t Let’s Encrypt Certificates Free?

Yes. However, we designed, implemented, and maintain software, tooling, and processes that allow us to use Let’s Encrypt.

In order to obtain a certificate from Let’s Encrypt, you must have control of the server to which your domain points (or to the domain’s DNS settings, though this is more difficult to automate), and you must then implement the Automated Certificate Management Environment (ACME) spec, or use an ACME client that implements the spec.

In addition, unlike purchased certificates (valid for at least 1 year and up to 39 months), Let’s Encrypt certificates are only valid for 90 days. Since they are free, this is not a problem in terms of hard costs, but it does increase the maintenance requirements. Without having an automation strategy in place, the maintenance of 90-day certificates would not be worth the savings in hard costs.

What All Do I Get?

For just $9/mo, you'll get all of the following:

  • HTTPS on every page of your website
  • A potential Google ranking boost
  • Improved privacy for your customers
  • More information about website leads

In addition, Banyan Theory software engineers constantly monitor for:

  • Certificate expiration
  • New security vulnerabilities (in SSL software, cipher suites, etc.)
  • Changes in SSL/TLS best practices (key bit length, cipher suites, etc.)

What Is HSTS?

HTTP Strict Transport Security (HSTS) adds a layer of protection for your website visitors. In a nutshell, when a person visits your website, our servers will tell the browser "this is an HTTPS-only website, so next time you come here, be sure to use HTTPS." Going forward, whenever this person visits your website, the browser will automatically use the secure (https://) version of the URL without even asking our servers (hence the "Strict" in its name).

This does have implications for disabling SSL. HSTS is communicated with a time frame, and we currently use 30 days (our servers tell browsers to "use only HTTPS for the next 30 days"). If you decide to remove the Whole-Site SSL add-on, or if you switch to another provider without SSL, any visitors who have been to your website in the past 30 days will not be able to access your non-HTTPS site until 30 days after their last visit. The solution to this is for us to disable HSTS on your website at least 30 days before you need your website to be accessible over plain HTTP. If you want to remove Whole-Site SSL or plan to move to a different provider without HTTPS, please let us know at least 30 days in advance so we can disable HSTS on your site so none of your visitors are negatively impacted by this security measure.

Does It Work Everywhere?

In practical terms, yes. Whole-Site SSL works on these platforms, starting at the version numbers and release dates indicated:

  • Chrome 6 (2010)
  • Internet Explorer 7 on Windows Vista (2006)
  • Firefox 2 (2006)
  • Safari 2.1 (2008)
  • iOS 4.0 (2010)
  • Android 3.0 (2011)
  • Windows Phone 7 (2010)

Server Name Indication (SNI), the technology which allows us to offer affordable Whole-Site SSL, was made available in 2007. Browsers from before 2006 do not support SNI, including Internet Explorer on Windows XP. Because its usage is so low, and because Microsoft ended support for Windows XP four years ago (in April 2014), we are confident in our decision to use SNI.


from our blog // Using Credit Card Points for Good -...

Allison
Banyan Theory turns our credit card points into charitable donations. Here's the simple way it's done and how we chose to help make a difference in our community again this year.     Read the full article »

Appointed with Safeco or Liberty Mutual?

We offer exclusive discounts and programs for Safeco & Liberty Mutual agents.

Sign up today to find out how much you can save on your new insurance website!