SSL's (security) benefit to the website owner

It prevents the ISP from injecting their own ads in place of your own. If you rely on advertising for revenue, https helps protect your revenue stream.


You have a few good questions, and a few misconceptions. Let's try to untangle them.


I also have some idea about other benefits (e.g. speed benefits from HTTP/2).

Another important one: Search Engine Optimization since you get GooglePoints for having TLS. (which kinda feeds your point that webmasters need external incentives ...)


I suppose because I would also know that the client I'm transacting with is certified and information I send them is encrypted. ... But can't any client [sic] access my website with self-signed certs?

Yes and no, and yes, ... and no. Let's untangle this.

TLS client authentication (requiring clients to present certs) is something you usually see on VPN servers, enterprise WPA2 WiFi access points, and corporate intranets. These are all closed systems where the sysadmin has full control over issueing certs to users, and they use this to control which users have access to which resources. This makes no sense in a public website setting, and is definitely a non-standard config for an HTTPS webserver.

That said, what you do gain is this:

Encrypted TLS session
| Client loads login page
| Client sends username / password
| Client does "logged in things"

So you do gain extra confidence that the user is who they say they are because the username / password is no longer sent in the clear, therefore no longer possible for a man-in-the-middle to intercept / modify / steal.

After that any of the data the client sends to the server, or gets from the server, is end-to-end encrypted to the client. Generally you're right: this protects the client more than the server, but it does stop man-in-the-middles from injecting malicious stuff into files that the user uploads, injecting malicious commands to be executed as if they came from that user.


But can't any client act unethically and access my website with self-signed certs, etc., claiming to be whoever they like?

Kinda, yes. For a public website, anybody can open a TLS connection. If you want users to authenticate, you need to have a login mechanism on top, TLS has does not generally provide this for you (unless you're using the above-mentioned client cert mechanism).


But something I was wondering recently was whether the website benefits in a similar way from this transaction.

Basically, the benefits to the server are that any data sent to the user will only be viewed by the intended user. If, for example, you are sending them copies of their financial statements, then your lawyers will be very happy to hear this. It also means that any data received from the user did in fact come from that user, and not from an attacker pretending to be them.

If your legitimate users are acting maliciously, well that's a different problem, after all, you chose to give them access to the system. What TLS (+ your own login framework) does is ensure that only legitimate users have access. What they do with that access is not TLS's problem.


One of the largest benefits for a site operator is increased trust from users; we often hope that they check for the presence of HTTPS before entering credit card details into an ecommerce site, for instance, and the "green lock" of an EV certificate provides some additional verification that the website is operated by the entity they claim to be.

How large of an effect this has, I don't know. The Stanford Web Credibility project has a collection of recommendations for making a website appear credible, and HTTPS doesn't appear on the list. However, the papers cited there are all 15-20 years old at this point. Much has changed in technology then, but the real question is how much people have changed.

Tags:

Tls