So one day my wife wanted a website to highlight her award-winning pottery. She finds WordPress a bit cumbersome to use and after looking at a number of hosting sites settled on Squarespace. After purchasing a site there, I registered a domain name for the site and we sat down and took a look at what needed to be done to point the domain to the site.
And that’s where things got weird. Because I figured while I was reading Squarespace’s documentation about where to point the domain DNS, I’d also see what the process was for adding an SSL certificate. And the answer was shocking–there is no option to for individuals to use SSL on Squarespace sites.
When you login to Squarespace or set up an e-commerce area, Squarespace sends you to a Squarespace.com area that use Squarespace’s SSL certificate. But those are the only times that users will see SSL related to a site they have set up. As Squarespace explains (emphasis added),
Some areas of Squarespace sites are protected by SSL, including checkout for Commerce transactions and wherever you log into your site. However, SSL isn’t currently available for other pages.
We don’t offer the ability to install custom SSL certificates at this time.
This is crazy, and potentially dangerous. Without SSL, browsing Squarespace sites is subject to snooping by third parties. Attackers could potentially perform man-in-the-middle style attacks by intercepting the non-encrypted traffic and injecting malicious code.
One of Squarespace’s competitors, WordPress.com not only supports SSL for the millions of blogs/sites it hosts, but just announced it was using Let’s Encrypt to offer free SSL to every single custom domain on its network.
That Squarespace continues to expose both its visitors and its customers to these sort of risks is inexcusable.