I’ve recently skimmed through the website, essays and found that it doesn’t support valid https certificate ( some yahoo store wildcard certificate ). With portfolio companies like weebly and webflow in list, what makes paul stick to old plain website?<p>Please don’t answer that it’s not in your top 100 to-do list.
Honestly I used to think the same, until adding HTTPS support because as simple as a button, and now there's no reason not too. Specifically for websites hosted on GitHub and AppEngine which most my sites are, it's little one button with LetsEncrypt. Beforehand, getting SSL cert was honestly a PITA and not worth it for a simple static website.
Practically, you don't do a cert for your site, you do it to protect visitors to your site getting compromised by a MITM attack.<p>A site without a cert is basically telling its users "I don't care about you."
It's just a plain website that doesn't do anything besides give you some text and images. This is technology that has functioned just fine for decades. I don't understand why it needs SSL at all - where's the private information that might be intercepted by someone in the middle?
Agree that website is simple, but it can be promotional on his end- it's good to show best practices. And his website clearly has a lot of traffic, a lot of engineers read it.
scripting.com doesn't use https either (went through a list of some older blog sites I could think of but most are https now.)<p>The following was written years ago, but it is a lot easier to use https now. <a href="http://scripting.com/2014/08/08/myBlogDoesntNeedHttps.html" rel="nofollow">http://scripting.com/2014/08/08/myBlogDoesntNeedHttps.html</a>
I'm surprised by the number of responses in this thread from people not understanding the purpose of HTTPS, even for static sites.<p>This is a good summary of why you should use HTTPS: <a href="https://doesmysiteneedhttps.com/" rel="nofollow">https://doesmysiteneedhttps.com/</a>
> what makes paul stick to old plain website?<p>It requires no effort to stick with HTTP. Yes, it's not rocket science to use HTTPS, but it requires a non-zero amount of time to enable it. He probably has better things to do with his time.<p>Besides, it's his personal website... He can do whatever he wants with it.
Given that HTTPS is required for HTTP2 to work in current browsers and it's easy to get a letsencrypt certificate this is a reasonable question. On the other hand, I guess it doesn't really matter for his simple purpose of distributing public information.
I reckon that static sites that don't require JS can stay just fine using HTTP (provided you turn off JS in the browser, which is the best default you should be having anyway)<p>Please do correct me if I'm wrong, but I think a whole lot of trouble can come if you enable running scripts over unsecured connections. From malicious DOM manipulations to exploiting CPU vulnerabilities. All of this of course if you assume the website you're visiting isn't itself doing malicious things :)
The opposite take, delivered with humor [need to hide HN referrer]: <a href="http://n-gate.com/software/2017/07/12/0/" rel="nofollow">http://n-gate.com/software/2017/07/12/0/</a>
This is the hacker spirit. Doing something short of the way it's supposed to be done(Not adding SSL), to make another point(I hate overengineering).