Comment by Aardwolf
11 years ago
My website only contains publically available stuff for people to read.
Is there any reason why I would want to use https for this use case?
Or what does "entire web" mean?
11 years ago
My website only contains publically available stuff for people to read.
Is there any reason why I would want to use https for this use case?
Or what does "entire web" mean?
If you're not using HTTPS it is trivial for anyone in the middle of the "client to server and back" connection to change any of the content.
If you use HTTPS you prevent alterations to that traffic and people receive exactly what you expect they should receive.
Examples of recent ISP misbehaving on non-https websites just 25 days ago on HN: https://news.ycombinator.com/item?id=8500131
Note that the Verizon issue isn't anything entirely content altering but someone who lives in a country with strict monitoring of traffic could easily change the wording of your website to match their propaganda if you aren't using HTTPS.
So yes, your content is publicly available free stuff and no one is probably sending you user login credentials or credit cards but it still matters.
Only with https could you be sure that your visitors are viewing the exact information you published, and that the content has not been hijacked.
Over http it could conceivably have malicious or tracking content introduced without your knowledge.
Is there any reason why I would want to use https for this use case?
Yes it can help you stop:
ISPs inserting adverts into your content (this has happened)
Governments censoring your content or rewriting it
Governments putting people in jail for reading your publicly available (in your country) content, which is illegal in theirs
People impersonating your website
But if you don't want to use it, that's cool too. I suspect all websites will be encrypted at some point soon though, the disadvantages are getting less and less important.
>Governments putting people in jail for reading your publicly available (in your country) content, which is illegal in theirs //
How does that work, surely the gov can still see people accessing the information by monitoring network traffic and the info itself is still public. HTTPS doesn't encrypt the actual request traffic does it, and in any case the gov would still see which server the traffic is going to unless you're using something like tor [and possibly still then].
HTTPS does encrypt both request and response.
However, you can figure out what pages on a large public site like Wikipedia people are reading over HTTPS, based on statistical traffic analysis, because you can see the size of the request, page, and each of the images. Combined with link following analysis, you can make a fairly accurate guess as to what people are reading.
1 reply →
There's a difference between
"User X browses Wikipedia"
and
"User X browses Wikipedia articles about topics A, B, C"
where topics A, B, C could be anything user X doesn't want people recording them reading about: for instance, various political articles, articles about mental illness, articles about LGBT issues, etc. Fill in the blanks.
3 replies →
Sure! If I trust your site but not my ISP, then https allows me to trust the connection between us. That means that nobody can tamper with the content and inject some malicious JS. Also, the ISP could only tell that I am talking to your server, and not anything beyond that.
Yes, because it is no one's business what people are looking at anyways. If you have more than one URL, HTTPS will hide that.
HTTPS will also make an attacker unable to change your content.
Anyone along the way (like an ISP) could inject things into your webpage. Like ads https://arstechnica.com/tech-policy/2013/04/how-a-banner-ad-...
People could think they are reading an article from your site but actually they're not or the text was tampered with. With https you ensure people are actually reading what you published.
Honestly, you're probably not going to get a large personal benefit from this. The larger good is that you'll be helping move the Internet toward encrypted-by-default, which is an enormous societal benefit.
Like you, I don't host any private or remotely sensitive information. I'm encrypting my site because I think it's the right thing to do, even though there's little personal return on investment.