Thursday 22nd November 2018

Google vs. HostGator: why is one of the world’s biggest web hosts discouraging its customers from encrypting users’ data?

In its acceptable use policy, Hostgator is discouraging its customers from implementing HTTPs unless it's "necessary". In July, Google Chrome released an update that pushes a "not secure" notification into the address bar of its browser on websites that haven't implemented HTTPs.
Jason Smith
by on 16th August 2018

UPDATE 15:03 EDT: a spokesperson for Endurance International Group informed us HostGator is “currently working to update [its acceptable use policy] to reflect the recent Chrome update and company wide changes” and “recently, Endurance International Group announced free SSL certificates to all HostGator, Bluehost, Domain.com and iPage customers without one”. 

UPDATE CONTINUED: She also stated the provision – Section C (XII), see below – is no longer “a current company wide policy” and will be removed with immediate effect.  

HostGator, one of the world’s biggest web hosts, is operating counter to the views of internet platforms like Google and discouraging its customers from encrypting their visitors’ communications unless it’s “necessary”.

HostGator is owned by Endurance International Group (EIG), the same organization that owns other large web hosting brands including Bluehost, Just Host, iPage and FatCow.

The discouragement is published in HostGator’s acceptable use policy however it doesn’t appear to extend to any of EIG’s other brands. In full, its acceptable use policy states:

“[customers may not] use https protocol unless it is necessary; encrypting and decrypting communications is noticeably more CPU-intensive than unencrypted communications”.

HostGator currently has 400,000 customers worldwide and hosts over 5 million websites.

Moreover, HostGator, Bluehost, Just Host and iPage all implement HTTPs across most of their respective websites; however, FatCow doesn’t.

Meanwhile Google, which is one of the biggest contributors of traffic to websites globally, is actively encouraging users to implement SSL encryption irrespective whether they’re handling sensitive data.

On its developer pages, it states:

“All websites should be protected with HTTPS, even ones that don’t handle sensitive data. HTTPS prevents intruders from tampering with or passively listening in on the communications between your site and your users”.

Emily Schechter, Google Chrome’s security product manager, also recently told Wired, “Encryption is something that web users should expect by default”.

Following through on this philosophy, the latest update to Google Chrome, Google’s flagship browser, pushes notifications into the address bar warning users that websites without HTTPs are “not secure”.

The update is likely to have consequences for website owners if users begin interpreting the notification as a deterrent, particularly considering Google Chrome enjoys a global browser marketshare of nearly 60 percent, according to the latest data from StatCounter.

The search giant also recently engaged in a very public spat with Symantec, which was formerly one of the world’s foremost PKI providers, over the “trustworthiness” of its infrastructure.

The spat eventually led Symantec to sell its PKI business to DigiCert for just over $1 billion.

SSL is also a de facto requirement of the new HTTP/2 specification, which was the first update to the HTTP protocol in nearly 20 years.

The new specification speeds up the transmission of data between server and client (e.g. a browser) by facilitating asynchronous data transfer i.e. multiple requests can be served asynchronously over a single connection.

However, despite Google’s assertions, as well as some of the potential benefits, HostGator is concerned SSL encryption has a disproportionate affect on precious server resources.

A report in 2017 from Key CDN, a content delivery network, cites tests that suggest the difference in speed between an encrypted and unencrypted connection is about 5 milliseconds. It also claims implementing HTTPs leads to a 2 percent increase in CPU usage.

HostGator specializes in the provision of shared hosting packages, which entails hosting upwards of hundreds of websites from a single server. The host recently performed well in our monthly web host rankings, placing 1st overall for uptime and response time in July.