"Using HTTPS is only useful if your page has a login. Just use HTTP."

Wow. There are so many fucking morons in our industry, it's absolutely sad and terrifying.

Just show him that little padlock & warning Google Chrome displays about insecure websites.
Then tell him, he's in charge of dealing with customers questioning it or giving us bad ratings.

@lotd I have trouble with this. Does Google already do this?

What if I have a static page, why would I need an SSL on that? There is nothing to protect/encrypt there. The page is the same for everyone.

Am I missing something?

@MisterArie static html might not have anything to protect, but it'll still show a warning about visiting an insecure site..

Dealing with people that either can't figure out how to bypass and visit either way or flags your stuff as shit, because it's "not secure"..
Is.. Well.. A pain in your rectum. To put it mildly.

@lotd yeah I get that, but that is Google fault then for forcing us to use things that are not needed.

And by doing that driving up cost and server resources for no reason. I get what they are trying to achieve. But I think they are doing it wrong.

@MisterArie let's encrypt ftw :3

@MisterArie It's not just to keep content secure from outside viewer, but to verify and to make sure content come from the right source. Otherwise we could be exposed to man-in-the-middle attacks every easy

@MisterArie The fact that countries can filter out sites they don't want their citizens to visit because pages aren't encrypted.

The fact that ISP's can inject tracking shit into unencrypted web pages

The fact that anyone on the way from the server to you can manipulate the page in any way including to deliver exploits

Could go in like that for a while :) (not attacking you or anything!)

@linuxxx encrypted sites can also be blocked right?

And the other to points sounds to me the same as saying. "You should not drive in a car without bulletproof windows because somebody could shoot you". And yeah it's true but it's a bit overkill for my grocery shopping.

So In still don't see why my clients public website with pictures of his cat he likes to show to his friends should have ssl. It will only cost him.

@monkcs I get that but, but effort vs risk I do not think it's worth charging my client an extra 15 minutes of work.

It feels like selling snow insurance to someone in the Sarah.

@Al-Jarrah in case of mitm attack all trafic could be redirected to another domain by dns spoofing right?
So if you are on https or not that wouldn't make much of a difference right?

Are there any security specialist on devRant? Things like this keep me wondering.

I truly believe in securing your shit, but wonder where to draw the lines.

@MisterArie I think with hpkp it would help under the condition the user has visited that site before because then the browser would know
1. that https is required and
2. which certificates to accept
and could that way detect connecting to the wrong server

Just no. Do some reading and educate yourself please.

@Al-Jarrah yeah thats what I said, so it's possible and https does not help.

It only helps against basic spoofing. But if you intercept before they ever reach the server you can just redirect them to where ever you want.

See the second answer, apperently you need a proxy. But if you went through all this trouble already. Whats another proxy.

@provector I would love to do some more reading but everything I read so far is making me doubt the use more for basic content sites.

If someone wants to do harm they can, so it offers nothing but a little road block.

@MisterArie basic purpose of https is to obfuscate otherwise plain text connections between devices. Pornhub doesnt require a login yet im certain you dont want random people spying on your fetish preference by just reading the connection headers ;) just an example

@provector yeah, and I get it for pornhub.

But not for my client that wants to show his stamp collection to the world. In the end he ends up paying for the extra work.

@Al-Jarrah yeah, but why would anyone put so much trouble into rebuilding my clients stamp collection site with 10 visitors a week.

I still don't see how I could sell an SSL to my client without feeling like a crook.

@MisterArie happy days then :) its his money

@provector yeah but my client does not want one, he just listens to me telling him he needs one.

And I still don't see why he would need one for the content and amount of traffic he got.

Yeah it's better but so are bulletproof windows for my car. And the chance of me getting shot vs the cost of those windows.

SSL v3 for free: www.letsencrypt.org
There is no excuse to use HTTP. For all our clients we simply forbid HTTP, and make redirection to HTTPS, regardless what is the size and content of their website.

It is irresponsible in this day and age to send or receive anything from or to network unencrypted.

It is nobody's business what I am viewing on someone's site even if it is just recipes for pancakes.

And it is negligent to the point that you shouldn't get paid, if you provide a WordPress site that breaks when SSL is enabled due to mixed content errors. The homepage isn't sensitive, the admin login is.

Chrome, and other browsers, only show a warning if you attempt to visit a site using https when there isn’t a valid certificate in place, or if a site does have some kind of login and isn’t https. There really isn’t any reason to use https on a site that isn’t handling sensitive information unless you just want that little green padlock.

I wrote and article on this stuff guys 😝

Also, +1 for LetsEncrypt

@sinisas what about man hours and server costs?

The world isn't that black and white. Just because you can get something free doesn't mean it's free.

If I would suggest changing some websites with no ssl to websites with SSL. A chain of events is started that would probably affect at least 6 people and would result in for sure one meeting. So that like 3 men work hours at 100 dollar. So 300 dollar. And then we havent even installed it yet.

After that there is going to be testing, changing documentation and communication with the client. You are probably looking at 1000 dollar cost for one client. And this client is only providing none sensitive information to everyone who wants to read it.

Why should my client pay a thousand dollars or should my company do so?

I get it for sensitive information, data exchange. But public websites for a small target audience. It just feels like a scam.

@MisterArie it takes 1 guy and 10min to install letsencrypt SSL on a server that has multiple virtual hosts. Their installer will take care of all vhost records you select.

If a website was built to depend on http protocol, and will break as soon as you switch on SSL, that is a bad build and should be refactored.

P.s.

If website has mobile support for location service, reads sensor on the device etc. SSL is a must

@sinisas ooh, I'm a 100% sure it would take more then a month of meetings to get permission to run third party software on our servers thats called letsencrypt.

And I probably wont get it. The managers would probably think it sounds like WanneCry. And they Saw in the news WanneCry was bad. Most people that make the desicions don't have the knowledge and get advice from other people. Who in turn have to put in hours to explain.

And changing a process in a company is even more expensive. There is a process for installing SSL. It's al documented. Who is responsible for what, who needs to give permission, wich client departement has to pay. And installing SSL dependig on where it's going to be installed is never a one man job.

You are only looking at the direct cost in man hours and SSL purchase.

The points you make would probably work for small informal companies,, freelancers, hobby projects.

Some of the companies we work for have so many protocols it takes a week to get permission to change some text on a page.

@MisterArie understand now your point.

However some options such as Amazon AWS give u free SSL that is installed on elastic load balancer - incurs no cost at all - and no men hours spent. Companies that are in tech business have to evolve. Maybe 10y ago SSL was not easily accessible to everyone but today is really affordable to everyone.

My company does web dev and hosting for mid to large size corporations and in past year, all services we made for them are by default on https/wss From corporate sites, internal infrastructure to campaign sites, webapps etc. Clients are not even trying to argue.

Hence I am a bit strong with "this day and age" because it is really easily accessible feature. At least from my experience.

@sinisas I agree we have to chance, but in most cases the bigger the company the slower the change.

@Pyroclastic I'm not sure the difference between the two other than https is more secure and helps guard your data. Does that make me a moron? Harsh words for people you don't know.

@MisterArie How will it cost him?! I run every site I have with SSL, doesn't cost me a single euro or whatever O.o

@MisterArie Not officially but I'm into cyber security a lot yeah

@linuxxx pretty sure I explained in the above comments how it would cost. If you still have questions please ask

I think it is good idea to deploy https even on small sites. Lets Encrypt automates the stuff so much it is only matter of few minutes with no maintanance. There are few risks when using http. ISP injecting ads, spying on your history (most common on public hotspots, some free VPN services). Also there can be delivered exploits by changing the content of the site (MitM on local network or somewhere enroute). So it is not exactly for safety of your customer but for safety of website visitors.

@sudoguy exactly!

@sudoguy still, I’m not going to say SSL is bad, but there are certain sites where it is basically pointless. Besides being a small aesthetic improvement, having SSL on a static site with no login, no device access, and no other user data is all but pointless. If you’re worried about man in the middle attacks you can always use a proxy service such as tunnel bear or Tor, but SSL is going to do very little to improve your security.

That being said, I still do use Let’s Encrypt solely for the small aesthetic boost that having that green padlock gives my site. It is all but pointless though.

@watzon yes because the Tor network has such a good history in preventing MITM attacks 😑

imo SSL is a must for any http service that cares about its clients.

@MisterArie Very late but yeah just saw those comments and fair enough in your case (although I hope I never visit any of those http sites, no offense!). But what about the wordpress login for the client though, is that one not encrypted through ssl/tls either? In that case, that IS actually reallyl bad.

Anyways, the first thing I do with every, EVERY (sub) domain I 'install'/configure is setting up SSL. Even wrote a very simple script for it, one command with a parameter and after about 20 seconds the SSL is setup and it takes me about... I think like 30 seconds to alter the configuration as I always run certbot with the certonly option.

@linuxxx old discusion indeed :) all sites that have logins got ssl. But the once without dont.

@sinisas I really hope you didn't mean to write "SSL v3"...

@linuxxx remember when we started this discusion. I brought it up then to switch some old projects to https.

I got premision to switch a low trafic (1-2 visitors a day) project to letsencrypt. If all stays stable for a few months I might be allowed to do more.

@MisterArie Awesome!