A couple of years ago I would have said no, I mean why would you need HTTPS in the early 00’s? However, today I’m convinced that it’s necessary to have it in place and here’s why.
I know what you’re thinking, “How shiny is this guy’s tin foil hat?”, but in recent news and over the past few years we’ve seen some dramatic changes in the way data flows and gets stored, so much so that even the sanest of people are buying up all the tin foil.
One of the common ways people are being duped is through malicious pieces of software and spoofing services. It doesn’t take a lot of effort to pull off either, just one wrong letter in the URL will take you to a site that might mimic it’s counterpart to the finest detail.
To a certain degree encrypted connections make up for the inadequacy of the already insecure DNS infrastructure, as with HTTP you don’t get the same level of security.
When browsers are forced to use HTTPS connections it slightly raises the security policy, which means less opportunities for hackers on the client side regardless of the communication channel.
When it comes down to it, if HTTPS isn’t present a user is vulnerable to the issues mentioned above, like attacks and tracking. Once the user has been hacked, even just once, they’re forever susceptible or until they’ve reformatted and restored their device.
Let’s take Facebook for example, a few years ago they used to server their login page over HTTP. A government in the middle-east decided to inject JavaScript into the page to steal user’s passwords straight from the login form. It didn’t matter the password were sent to Facebook via HTTPS, the login page was running on HTTP which led to accounts being compromised.
It’s not like it used to be as a few a years ago HTTPS was rare and expensive, but now the table’s have turned. Now you can pick up an SSL certificate for a few dollars and even grab a wildcard SSL for a few dollars more. So what are the major benefits of HTTPS?
Personally I would say this is the major benefit of sending data via HTTPS as it tells the end user that the content delivered is from the source and it hasn’t been tampered with in any way.
The webpages you’re viewing and what you’re doing aren’t visible to anyone sniffing network traffic as it’s fully encrypted via HTTPS.
Protection is important when it comes to handle money transfers like with online banking or for e-commerce sites, so you definitely don’t want anyone malicious to send another copy of commands and transfer twice.
When most people think of a secure connection they take all 3 points into consideration, but I would say that authenticity is the most vital. Let’s say I go to reddit.com, what I expect is exactly what Reddit sent, not anything else. I don’t really care if anyone sees what I’m reading, but I am concerned if there’s a man in the middle feeding me false content and injecting code for an attack.
The real question is: Why isn’t everyone using HTTPS? In short, it’s not the default configuration yet, but we’re slowly getting there. That shouldn’t stop you from securing your site, even on a CDN with free custom SSL integration.