: What is the benefit of forcing a site to load over SSL (HTTPS)? Let's say I have a large content-only site; no login or logout, no usernames, no email addresses, no secure area, nothing secret
Let's say I have a large content-only site; no login or logout, no usernames, no email addresses, no secure area, nothing secret on the site, nada. People just come to the site and go from page to page and look at content.
Besides a slight bump in SEO from Google (very slight, from what I've read), is there any benefit of forcing the site to load via HTTPS?
More posts by @Samaraweera270
Other answers talked about the benefits of HTTPS. By would a user be forced to use HTTPS? For two reasons:
If you give users the option to not use HTTPS, they probably won't, especially since most browsers default to and not when typing a domain in the address bar.
By implementing both a secure version and an insecure version, you increase the attack surface of the connection. You give attackers the chance to perform a downgrade attack even if you think that you are using the secure version.
If you redirect every URL to the equivalent one, it makes life easier for the admin of the server and for search engines. No one has to worry about whether the and are meant to be equivalent or meant to point to completely different things, by redirecting one to another it's clear to everyone what URLs are meant to be used.
You have two options to secure your main domain (mysite.com) and its sub-domains (play.mysite.com and test.mysite.com).
SSL is not only for ecommerce, payment merchant sites where financial transactions or login credentials are shared over the website. It is as equally important for content-based website. Attackers always search for plain HTTP website or loophole in website. SSL not only provides security but also authenticate your website. The main benefit of having SSL on content-based website is that,
You can avoid man-in-middle attack that can alter content of the site.
Besides, your website will have authenticity that notifies visitors that their information will be secured if they share with the website.
They get assurance about website authenticity.
Moreover, your website will be free from injection of malicious ads, exploits, unwanted widgets, software replacement, and harm to web pages once you have SSL on your website.
SSL certificate offers static site seal that can be placed on any web page for assurance and customers can click on the seal to know the details of installed SSL certificate.
And, just to add one more thing to all answers, I'll just talk about latency. Because, it seems that no one wrote here about this.
Having a low client-to-server HTTP latency is critical for making fast-loading, responsive websites.
TCP/IP alone has 3-way handshake (initial connection setup for plain HTTP over TCP requires 3 packets). When SSL/TLS is used, the connection setup is more involved, meaning the latency for new HTTPS connections is unavoidably higher than plaintext HTTP.
The problem with HTTP is that it is not safe. So if you have sensitive data, you need some form of security. When you type something into your web browser beginning with “https”, you are asking your browser to use an encryption layer to protect the traffic. This provides reasonable protection against eavesdroppers, but the problem is that it will be slower. Since we want to encrypt our traffic, there will be some computation involved, which adds to the time. This means that if you don’t design your system correctly, your website will appear sluggish to users.
I have a large content-only site; no login or logout, no usernames,
no email addresses, no secure area, nothing secret on the site, nada.
People just come to the site and go from page to page and look at
If this is the case, I won't use SSL at all. I would like to have my page when you click it that it opens in one second.
That's from user experience. You do as you wish, I just don't put certificates on everything I make. In this particular case, I wouldn't use it at all.
In addition to the other answers, browsers should (as in RFC 2119) send the User-Agent header. It provides enough information about what platform a user is using if he sends the actual User-Agent. If Eve can eavesdrop on a request made by Alice, and Alice sends the actual User-Agent, Eve will know what platform Alice uses without Alice making a connection to Eve's server. It will be easier to hack into Alice's computer with such knowledge.
The simple answer is that there's no good reason not to. In the past there were arguments about only using SSL where absolutely necessary (e.g. on ecommerce sites collecting payment details).
These were largely to do with the installation procedure for SSL certificates, cost, additional load on the webserver, and network limitations - at a time when people didn't have broadband etc. None of these reasons really apply in 2016.
In terms of SEO, we know that the goal of most search engines is to provide the best results for their users, and this can be done by giving them a secure connection to the site they are browsing. In this respect the search engines do not care whether there is "sensitive" data on the site (either being presented, or collected); it's simply the case that if the site is served over HTTPS, any potential risks of authentication and encryption are greatly minimised, so the site would be considered "better" than the equivalent site without HTTPS.
Essentially, it's so simple and straightforward to implement, it's just seen as best practice nowadays. As a web developer, I just consider installing an SSL certificate and then forcing all requests over HTTPS (very easy using .htaccess or an equivalent) to be a standard part of any site or web application I build.
You get HTTP/2 support, the new web standard designed to significantly improve website loading speeds.
Because browser makers have chosen to support HTTP/2 only over HTTPS, enabling HTTPS (on a server that supports HTTP/2) is the only way to get this speed upgrade.
(Parts taken from my answer to a similar question.)
HTTPS can achieve two things:
Authentication. Making sure that the visitor is communicating with the real domain owner.
Encryption. Making sure that only this domain owner and the visitor can read their communication.
Probably everyone agrees that HTTPS should be mandatory when transmitting secrets (like passwords, banking data etc.), but even if your site does not process such secrets, there are several other cases where and why the use of HTTPS can be beneficial.
Attackers can’t tamper with requested content.
When using HTTP, eavesdroppers could manipulate the content your visitors see on your website. For example:
Including malware in the software you offer for download (or if you don’t offer any software downloads, the attackers start doing so).
Censoring some of your content. Changing your expressions of opinion.
Replacing the data of your donations account with their own.
HTTPS can prevent this.
Attackers can’t read requested content.
When using HTTP, eavesdroppers can learn which pages/content on your host your visitors access. Although the content itself may be public, the knowledge that a specific person consumes it can be problematic:
It opens an attack vector for social engineering.
It infringes privacy.
It can lead to surveillance and punishment (right up to imprisonment, torture, death).
This, of course, depends on the nature of your content, but what seems to be harmless content to you can be interpreted differently by other parties.
Better be safe than sorry. HTTPS can prevent this.
Besides the benefits mentioned by others there is one reason that will make you switch to SSL unless you don't care about your visitors that use Chrome - the new versions of Chrome (starting from the end of the year as far as I remember) are going to show a warning (which will drive away users from your site) by default for all sites that aren't using HTTPS.
Here are links to two more detailed articles, though I can't seem to find the one I've read about when they're planning to officially introduce the feature:
Marketing firms like Hitwise pay ISPs to gather data about your site when you don't use SSL. Data about your site gets collected which you might rather not have your competitors know:
search engine keywords (although with "not provided" this is less of an issue these days)
HTTPS does not just provide secrecy (of which you are doubting the value, though there are good reasons for it still) but also authenticity, which is always of value. Without it, a malicious access point/router/ISP/etc. can rewrite any part of your site before displaying it to the user. This could include:
injecting ads for your competitors
injecting ads or annoying widgets that make your site look bad and harm your reputation
injecting exploits to perform drive-by downloads of malware onto the visitor's computer, who then (rightly!) blames you for it happening
replacing software downloads from your site with ones that have bundled malware
lowering the quality of your images
removing parts of your site they don't want you to see, e.g. things that compete with their own services or depict them in a bad light
Failure to protect your users from these things is irresponsible.
It prevents man in the middle attacks that make you think you are visiting your site but present a page that is actually from another and may attempt to get info from you. Since the data is encrypted, it also makes it more difficult for an attacker to manipulate the page as you see it.
Because you need a SSL certificate, that verifies you are the owner of the site at a minimum giving at least some verification of who you are.
"nothing secret on the site"
...According to you. There migh be a perfectly fine reason someone wants a secure connection. It (partly) creates privacy:
My admin can see that I'm browsing some picture site on my phone via url, but he can't tell if I'm watching pics of cute cats or hardcore porn. I'd say that's pretty damn good privacy. "a content" and "the content" can make all the difference in the world. – Agent_L
You might think it's insignificant, or maybe it's not a big deal now but could be at another point in time. I am a firm believer that no-one apart from me and the website should know exactly what I'm doing.
It creates trust. Having the padlock is a sign of security and it can signify some degree of skill regarding the website, and thus your products.
It makes you less of a target for e.g. MitM attacks. Security increases.
With initiatives like Let's Encrypt, which make it a lot easier and free, there aren't many downsides. CPU power taken up by SSL is negligible these days.