> It's still buy a certificate and set it up in nginx/apache/your favourite load balancer/etc.
To a first order approximation, yes, and for small and medium sites, that's pretty accurate. But for very large sites, there can be additional complications and expenses, and that situation has improved over the last several years. Don't underestimate the effect that the downward price of bandwidth over the years has had - at very large scale, those pennies can really add up.
There's a reason why sites like Google, Facebook, Reddit, Tumblr, etc. took so long to add SSL to everything Or why some sites like Comcast still don't provide it. It's not (always) that they simply don't care or don't have knowledgeable engineers; it's that the logistics of managing[0] SSL at that scale are non-trivial. Arguably worth it, yes, but it's not so straightforward.
[0] heck, the logistics of paying for - even with a CDN, the marginal cost of adding SSL is not cheap.
To a first order approximation, yes, and for small and medium sites, that's pretty accurate. But for very large sites, there can be additional complications and expenses, and that situation has improved over the last several years. Don't underestimate the effect that the downward price of bandwidth over the years has had - at very large scale, those pennies can really add up.
There's a reason why sites like Google, Facebook, Reddit, Tumblr, etc. took so long to add SSL to everything Or why some sites like Comcast still don't provide it. It's not (always) that they simply don't care or don't have knowledgeable engineers; it's that the logistics of managing[0] SSL at that scale are non-trivial. Arguably worth it, yes, but it's not so straightforward.
[0] heck, the logistics of paying for - even with a CDN, the marginal cost of adding SSL is not cheap.