It’s uncontroversial that sites handling sensitive data like credit card numbers should implement HTTPS to protect that data from snoopers. It’s also best practice to encrypt connections for sites that allow users to log in — not only is their data protected as it travels from the site to the browser and back again, but so is the authentication cookie that maintains their session.
But it’s becoming increasingly common for security experts and online service providers to recommend that all sites are encrypted with SSL. Google gives secure sites a bump in the SERPs and its Chrome browser may soon give users a visual warning if sites aren’t encrypted. That doesn’t just apply to the classes of sites for which encrypted content is now the norm, but to read-only sites with no sensitive user data and no logged-in users.
I’ve seen many people questioning the value of using SSL for read-only static sites. Implementing SSL is a pain, and unless you know what you’re doing, the screw-up potential is high. So, is there really any reason to encrypt the static blog on which you write cookie dough reviews?
There is a reason, and it’s a good one. SSL encryption achieves two things: it ensures that all the content comes from your site, and it ensures that nothing is changed between your site and the user’s browser (with the possible exception of some corporate networks that do tricky things with SSL proxies).
A man-in-the-middle attack intercepts content as it travels from site to browser and vice-versa. The attacker can change the content and then send it on to the user, who will be none the wiser. SSL prevents this.
You might be wondering who would want to inject or manipulate the content of your cookie dough site, and you’d be right that there is almost nothing to gain for a hacker, unless they are making a very specific attack against the user. But there is another motivation for altering content as it flows across the internet: the insertion of advertising. A number of Internet Service Providers, especially mobile providers or WiFi providers like airports and hotels, will insert their own advertising and other content into web pages that are delivered over their networks.
That means a person browsing your cookie dough site, on which you have your own advertising, may be seeing your pages with your advertising removed and someone else’s injected. Obviously, this is a dishonest practice, but that doesn’t stop ISPs from doing it.
If your site serves its content over an encrypted HTTPS connection, no-one between the server and browser can see its contents and they can’t inject anything. SSL certificates ensure that the user sees what you want them to see, and what they expect to see, not the content a third-party bandwidth provider wants them to see.
Of course, you may not care enough about this problem to go through the hassle of implementing SSL, but there is plenty of justification for Google and others to encourage HTTPS everywhere.