We live in a day and age where we simply cannot take our right to privacy for granted. When we communicate over unprotected channels, we expose our messages to everyone who happens to be along the way: The WiFi hotspots, corporate IT providers, ISPs, cloud providers, can listen in to our communication. We leave a trail of digital footprints behind. When aggregated, it can reveal information about ourselves. Eavesdroppers and intruders can make inferences about our behaviors and intentions: ISPs can determine what types of news stories we are interested in, employers can monitor our activities even on personal devices at work, look at our searches, see our messages, all when we communicate over unprotected channels.
Google has been urging site owners to switch to HTTPS for many years now. They started using HTTPS as a ranking indicator for their search results. To tighten the screws, Chrome, starting with version 56 that is coming soon, will start showing “not secure” alerts on sites that collect login or credit card information over HTTP. Firefox will also start displaying a red icon in the address bar as well as an in-context warning for pages that ask users to login over HTTP.
While I don’t know the real reason that compel Google to drive the HTTPS campaign, it’s a great direction for the future of the web, a direction that we should all support.
So how do you make your website secure? It’s way easier to secure sites with HTTPS these days than it used to be. In the past, obtaining a digital certificate that is required for HTTPS required paperwork and hundreds of dollars. This is no longer the case. Let’s Encrypt is a certificate authority that provides FREE certificates to anyone. It’s backed by organizations such as Mozilla, Facebook and Google to name a few. Let’s Encrypt makes it possible for anyone to have an HTTPS website for free. As an alternative, if you host your servers on the AWS, Certificate Manager provides free certificates and handle certificate renewals as an added bonus.
Getting an HTTPS-enabled website is easier (and cheaper) now than ever. If you are concerned that HTTPS slows things down, think again. HTTPS can even be faster than HTTP.
I didn’t intentionally touch upon security threats to unencrypted traffic since they are well known to most people. The privacy aspects, unfortunately, aren’t as well known.
I would also like to make a quick announcement: starting today, all traffic to my blog is 100% fully encrypted and secured using HTTPS. I enabled HTTPS without spending a single penny and the whole process took less than an hour. If you have a website that isn’t using HTTPS yet, what are you waiting for?
Your ISP and others can see what your users are reading and what actions they are taking on your blog. It may sound harmless for one blog, but ISPs see all the traffic and it’s a matter of time that they start using machine learning to predict behaviours and habits based on all the ‘harmless’ sites users are visiting. This least sinister example, is still an invasion of privacy of your users. While you might think that the information isn’t sensitive and it’s okay for anyone to see which posts your users are reading or interacting with, your users might disagree with you.
Not only can your ISP see all the traffic, they can tamper and alter your site’s content. They can inject ads. Your users may never know who altered the content.
I heard about it, but didn’t think ISPs would go this low until I started noticing XFINITY ads and links on sites that normally wouldn’t display those. I didn’t check at the time but I will be very surprised if I find that Comcast wasn’t injecting those ads.
If you are still not convinced, ask the opposite: why not enabled HTTPS? There is absolutely no harm. It’s free. It’s fast. It doesn’t require a lot of effort to setup. It boosts you site’s ranking on Google. It shows that you respect the privacy of your readers. It’s the right thing to do.
My read only blog offers no sensitive information.
Why should I waste time setting up https when it doesn’t help at all?
For starters, improved site performance through http/2, and making your website impossible for ISPs to change or inject content into during transit (possibly silently). Also the ability to see referral traffic from other HTTPS sites.
Don’t kid yourself, the government has all the keys so all your traffic is visible to them.
HTTPS is faster on browsers only because vendors decided not to use HTTP in the faster HTTP/2.0 implementation. Of course SSL introduces latency but it is for the greater good.
You do not know how encryption works, do you?