We just added an automated way to have your site served over SSL. This will let you have a site shown as secured in the browser, like this
This is especially useful if you process payments in your app. Braintree, for instance, requires this to use the plugin. More generally, this inspires more trust for your users.
The certificate is available to users on a Professional Plan and higher. It works like this. Once your domain is set up in the Settings Tab, section Domain, you’ll be able to pick an email of the domain and Activate your SSL. Then, you’ll get an email at this address, and once you’re done with the instructions there, the SSL connection will happen automatically after a few hours.
This is a nice evolution for Bubble - great to see the friction taken out of a normally sticky process.
What’s the process now for securing apps that haven’t yet scaled to the professional level? Are you still offering the manual process on a case-by-case basis? I’ve been holding back my activation request knowing this automation is in the works.
It’s 2016 - many users are very weary of sending details online without SSL.
And with the new LetsEncrypt initiative, SSLs are free. That being said, there is probably plenty of overhead required to interface SSLs with bubble.
We tried bubble.is back in 2013 and one of the main reasons we didn’t stick with it at the time was lack of SSL. (To be fair to bubble, I see from reading the community that there was a manual process to getting an SSL on our account.)
My thoughts are simply that $79/mo. is too much to pay for this feature and it should be included (or an add-on option) on all paid plans.
Honestly, I think a service like bubble should only offer https:// functionality. And if it costs more then it costs more - either as an add-on or a price increase.
Couldn’t agree more with this sentiment. When I raised my query above, I was surprised that Bubble saw SSL as an optional super-premium feature. I understand the business need to distinguish between ‘personal’ and ‘professional’ features, but the language doesn’t match the use cases (I see the distinction as purely one of scale). In my view it was a no-brainer that offering SSL as a core platform capability for anyone paying to use Bubble (everyone) would only be a boon for Bubble (conversely, imagine the damage were there a widescale breach of Bubble-hosted apps).
The implication here is that anyone taking sensitive information must sign up to the ‘professional plan’ from the onset. In fact it should be made clear that unless you’re on at least that plan, you shouldn’t be able to process user information - passwords, credit card info, etc. Naturally I was disappointed by the thinking on this but couldn’t muster more energy to question it as I’ve previously shared a lot privately; instead it just added one more question of my confidence in Bubble.
In any case here’s a helpful reference that lays out how Bubble’s chief competitor is thinking of SSL:
i’ve seen elsewhere in the forums and documentation (can’t find it now) that users can pay to have a custom feature created in bubble, if the bubble team agrees to create the custom feature. it looks like these types of projects are considered on a case-by-case basis.
hypothetically, could SSL be made available to the lower-priced plans through this same process?
We used to do this before we automated the system, now this is part of the plan.
Right… but not part of Personal Plan. Paying $79/mo. to use SSL with your own domain excludes Bubble from being a “pay as you grow” service. Just saying I think that $79/mo. is a tough entry point for lots of companies and non-SSL should be a non-starter.
Also, making it as easy as Bubble does to collect signup / login information and allowing your customers to use this without SSL by simply adding a custom domain is a bit weak imho.
Once you let customers use their own domain (Personal Plan) then their app data is less secure than the free plan. It would be nice to have SSL included or as an addon to the Personal Plan.
Technically speaking, it would be nice to have control over the cert. What type of cert is Bubble applying – DV, OV, or EV? Guessing it’s just a DV.
How many certificates can I have, one for each private app?
I also feel that SSL should be available on the lower plans – even if it’s as an add-on. $80 a month is extremely high for myself, especially when I can run a VPS with multiple websites for less than $30 a month and purchase a DV cert for less than $10 a year. Or even free with automatic renewal using https://letsencrypt.org/.
