Ramshankar
on systems, software & life

Does your site need to be HTTPS?

Despite the increasing adoption of HTTPS from browsers and servers, there are still many sites that default to HTTP.⁠[1] With domain-level certificates now available for free, there’s hardly any reason not to secure your site using HTTPS.

But what about sites that don’t have sensitive information? What about sites that just serve static content?

This is a static site. It doesn’t collect any sensitive information like credit card numbers or passwords. It doesn’t make use of cookies. It doesn’t even execute any server-side scripting code (like PHP, Python or Java).

However, this site does transmit content to you — the reader. Even if this content isn’t critical to your privacy or security, you should be able to trust that the content you receive hasn’t been tampered by a third party. And this is where the old HTTP protocol has a problem.

HTTP is insecure and subject to man-in-the-middle attacks.

Content exchanged over HTTP is ripe for manipulation by third parties. For instance, hotel WiFis are known for injecting ads into the pages of their users,⁠[2] potentially leading to the installation of trojans and viruses.⁠[3] ISPs themselves are well known for injecting ads, renewal reminders and data cap notifications into the pages of their customers.⁠[4] These are just a couple of examples that scratch the surface of the risks involved with HTTP.

On the bright side, the issues mentioned above can be easily mitigated if servers and clients (users) exchange content over HTTPS. It would be even better if servers automatically redirected these insecure accesses to the more secure version.

HTTPS uses digital certificates to establish a chain of trust for authenticating ownership of websites. It also encrypts the content exchanged between servers and their clients, which ensures the integrity and privacy of the content.

I don’t include any ads in this site, nor do I include any code which jeopardizes the privacy of users. I’m not even using Google Analytics, because it involves sending data to a third party.⁠[5] With that being the case, I should as far as possible, ensure the content reaches you in its pristine form. This is why I made this site serve content over HTTPS. Accesses to this site made using HTTP are automatically redirected to HTTPS.

Besides verifying authenticity and ensuring integrity of content, sites with HTTPS are ranked higher by search engines. Browsers have also become increasingly aggressive with flagging non-HTTPS sites as insecure.

Although establishing a HTTPS connection might be slower than HTTP; HTTP/2 and features like TLS session resumption and OCSP stapling, make the difference in performance negligible. I posit that the small trade-off in performance is well worth it.

In conclusion — Yes! your site needs to be HTTPS.

HTTPS isn’t the be-all and end-all of website security. However, it’s a much needed starting point.

1. W3Techs (accessed 8 Jan 2020) - Usage statistics of sites defaulting to HTTPS is just over 50%.
2. Hotel WiFi injecting ads: instance 1 and 2. I could give more instances, but a couple is more than sufficient to show it’s not only possible but it does happen.
3. StackExchange - Hotel WiFi injecting JavaScript posing as a Windows update.
4. StackExchange - Ads injected by ISPs such as Hathway, BSNL and Comcasts into the pages of their customers.
5. I’m using GoAccess, a free and open-source software for analyzing Nginx logs. If this proves insufficient, I may consider using Google Analytics someday.