On today’s web, you’d think it uncontroversial to encrypt connections between web browsers and servers. We live our lives on the web. Every day, we send financial and other sensitive data to servers and services we trust — at least nominally. Without an HTTPS-encrypted connection, which requires an SSL certificate, that data is sent in the clear for anyone to read.
But we all come across sites that don’t offer HTTPS connections. Many are content publishing sites — blogs, news sites, image sites — and their owners simply don’t see the upside of offering HTTPS. I think that’s a mistake, and I’m not alone. Most security experts recognize the benefits of HTTPS for almost every site, as do organizations like Google, which advocates for HTTPS Everywhere and uses HTTPS as a positive ranking signal.
This is the obvious one. HTTPS uses SSL certificates to establish practically unbreakable encryption for all data traveling over a connection. Snoopers can’t see the data you send or receive.
Between the server that hosts your web service or site and users’ browsers, there are perhaps dozens of opportunities for someone to snoop. Data can traverse several networks in different countries run by different companies, and that doesn’t include any malicious attackers that might have an interest in your site and its users.
For a web browser to recognize the validity of HTTPS connections, the SSL certificate used to create the connection must be signed by a Certificate Authority. CAs validate the identity of the applicant before they sign a certificate. There are various levels of identity validation, with the most basic being Domain Validation, which is usually enough for sites that don’t handle sensitive or financial data.
Identity validation helps your users to trust you. They know that when they send and receive data, they’re connected to a site that — at the very least — is under the control of a person who has proven ownership of the site’s domain.
HTTPS Prevents Content Injection And MITM Attacks
Without encryption, anyone can see the data traveling to and from your servers, but more importantly, if they can see it, they can change it. A man-in-the-middle attacker will position themselves somewhere between the server and the browser, intercepting data traveling in both directions and changing it before it’s sent on to its destination.
This isn’t as rare as you’d think. Some Internet Service Providers have used this capability to inject advertising, which is one of the more benign ways unencrypted connections can be abused.
In short, if you don’t encrypt connections, there’s no way users can be sure the data they receive is the same as the data you sent, and vice versa.
SSL certificates used to be expensive and complex to set up. For Domain Validated certificates, that’s no longer the case. Let’s Encrypt is a Certificate Authority that provides free DV certificates along with a tool that can quickly validate and install certificates for common server configurations.
In a nutshell, HTTPS protects you and your users, and, for most content sites, it will cost you nothing to implement.