Force Using SSL on Site now?

HTTPS can achieve three things:

  • Authenticity. Making sure that you are communicating with the real domain owner.
  • Confidentiality. Making sure that only this domain owner and you can read the communication.
  • Integrity. Making sure that the content doesn’t get modified by someone else.

Probably everyone agrees that HTTPS should be mandatory when transmitting secrets (like passwords, banking data etc.).

But there are several other cases where and why the use of HTTPS can be beneficial:

Attackers can’t tamper with requested content.

When using HTTP, eavesdroppers could manipulate the content your visitors see on your website. For example:

  • Including malware in the software you offer for download.
  • Censoring some of your content. Changing your expressions of opinion.
  • Injecting advertisements.
  • Replacing the data of your donations account with their own.

Of course this also applies to content sent by your users, for example wiki edits. However, if your users are anonymous, the attacker could "simulate" being a user anyway (unless the attacker is a bot and there is some effective CAPTCHA barrier).

Attackers can’t read requested content.

When using HTTP, eavesdroppers could know which pages/content on your host your visitors access. Although the content itself may be public, the knowledge that a specific person consumes it is problematic:

  • It opens an attack vector for social engineering.
  • It infringes privacy.
  • It can lead to surveillance and punishment (right up to imprisonment, torture, death).

Of course this also applies to content sent by your users, for example mails via a contact form.

All that said, simply offering HTTPS in addition to HTTP would only protect users that check (or locally enforce, e.g. with HSTS) that they are using it. Attackers could force all other visitors to use the (vulnerable) HTTP variant.

So if you come to the conclusion that you want to offer HTTPS, you might want to consider enforcing it (server-side redirect from HTTP to HTTPS, send HSTS header).


Interesting question. However, the obvious answer would be if I can get a website with a browser, then the NSA can get it too. I am not trying to be a smarty-pants on this. SSL should be used for account login, payments, etc. As a normal course of work, it is not necessary.

Having said that, I do support SSL more than this answer implies. If you are a blogger, then I would not use SSL. If you are saying things you want private even under certain circumstances, then you should not post it or put it behind a login to better control who sees it.

Remember that the web is an open communications vehicle. It is design and geared toward this. Private communications vehicles are not promiscuous with who it connects to and shares information with and often deploys numerous security schemes to ensure secure communications. The web is designed to connect easily and anonymously with any client and share all or nearly all of the information that it has. Yes there are options for securing web communications to a point, however, it will be always be limited due to the nature of what it is.


Secrecy

Since your content is public, HTTPS obviously won't hide it, but it might provide some benefits depending on the nature of your site.

Privacy

When someone requests a page over HTTPS, the request is encrypted, so if someone is watching your visitors, they won't know which pages they requested. Unfortunately, DNS (the system for getting an IP address based on your website's domain name) isn't encrypted, so an observer could still identify who visits your website. Even if that was encrypted, in most cases you could still tell which website someone is visiting based on IP addresses, which can't be hidden in the internet's current design.

Wikipedia offers HTTPS, which you might think is pointless because the content is public, but by doing this they protect their users: If someone is looking up "unpatriotic" things on Wikipedia (using HTTPS), their government can't tell which pages they're reading, just that they're on Wikipedia. Twitter is another case the content itself is public, but people don't necessarily want other people to know what they're doing on it.

Password Security

The other major reason you might want to consider HTTPS is if you have any login pages or other places where you accept private data from users (including yourself). If you don't support HTTPS at all, passwords and other information will be sent "in the clear", and anyone who can read network data can see them (the scary case used to be other people on the same wifi network as you; now it also includes various government agencies looking for blackmail material).

If you just support HTTPS on the login page, but not anywhere else, a clever attacker will intercept every page except the login page, and change the "Login" link to not use HTTPS, then intercept your communication (and if you force that page to HTTPS, they can just intercept the traffic and provide a fake version of it that does work). You can prevent this by always checking for a lock icon in your URL bar before logging in, but almost no one remembers to do that every time.

Tags:

Security

Https

Recent Posts