Does my site need HTTPS?

Eh, I really wish there would be more pushback against HTTPS.<p>It does include a lot of problems, including the reporting of browsing information through non-stapled OCSP, there&#x27;s still major MITM-problems (yes, still; for example CloudFlare is huge-ass MITM), and no matter what this site claims, HTTPS is definitely still a lot slower than HTTP, even with HTTP&#x2F;2; and it further makes it a lot easier to hide which data is extracted from a computer from the user. Encryption is great if you are using it, but it can also very much be used against you. The centralization it drives also creates unpleasant attack vectors for snooping governments.<p>I wish there was a way non-sensitive data could be transmitted plain-text, but signed with a server certificate. This solves many of the same problems, while avoiding many of the problems with HTTPS.

Does your site need to redirect me to the French version (<a href="https:&#x2F;&#x2F;faut-il-https-sur-mon-site.fr&#x2F;" rel="nofollow">https:&#x2F;&#x2F;faut-il-https-sur-mon-site.fr&#x2F;</a>) just because I&#x27;m in Canada?<p>No, no it does not.

&gt; &quot;HTTPS is difficult to set up and maintain.&quot;<p>&gt; It just works if Caddy is your web server.<p>I wonder what percentage of people who thinks HTTPS is difficult to set up and maintain are able to run their own VPS and properly install and configure caddy.

Another interesting side effect of not using HTTPS is that other sites won&#x27;t trust yours. In particular, if you try to use Open Graph or similar metadata to generate previews that other sites can embed when your link is posted, many of them simply won&#x27;t do it because they don&#x27;t trust the origin.

I guess public linux distribution repo mirrors can still be http, if you are fine with leaking which packages you are installing.<p>The packages themselves are signed and checked locally before installing them, so MITM shouldn&#x27;t be possible. If your local trust is broken, then you lost already.<p>And you can easily setup caching proxies for the repos, without requiring to setup your own CA.

The website misses the reason that I have not moved my domains to HTTPS: Google.<p>Google treat the HTTP and HTTPS pages as separate for link ranking purposes, so there is a chance that a move will destroy 10 years of link ranking. Even with redirects, there is a non-zero chance of the business being destroyed.<p>If Google would treat HTTP and HTTP pages as the &quot;same page&quot; then I would move tomorrow.

For everyone here saying &quot;Just use Let&#x27;s Encrypt&quot; - well, they&#x27;ve had some security issues over the last couple of years. Most recently [1]. They revoke certs and change challenges seemingly on a whim. I&#x27;ve had a number of fires to put out in the past 12 months because of LE.<p>Also, good luck using LE in a web farm type environment &quot;easily&quot;. Given the challenge limits there&#x27;s usually a fair bit of plumbing required to get multiple servers on the same domain with the same certificates. It&#x27;s anything but &quot;just works&quot;.<p>[1] <a href="https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;lets-encrypt-is-revoking-lots-of-ssl-certificates-in-two-days&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.bleepingcomputer.com&#x2F;news&#x2F;security&#x2F;lets-encrypt-...</a>

&quot;&quot;It&#x27;s the browser&#x27;s job to keep users safe.&quot;<p>True, but incomplete. It is not SOLELY the browser&#x27;s job. Browsers can only keep the users safe if the server provides credentials through an HTTPS certificate. As a site owner, it&#x27;s your responsibility to provide these credentials for your clients.&quot;<p>HTTPS, or even using the internet in general, is not the only way to provide credentials to clients (users). For example, public keys can be provided using other protocols or even out of band.<p>Not every website is engaged in commerce nor otherwise needs to &quot;scale&quot; in a way that only computers can enable.

I find certbot a PITA to use and maintain despite the EFF&#x27;s efforts.<p>And caddy is still not available in the Debian repos.

&gt; The only reason you should open port 80 on your server is to redirect all requests to port 443 and then close the connection on port 80. (Someday, maybe we can drop port 80 altogether.)<p>I think it is fine to support both if you are not handling forms, etc. Obviously you prefer people to use HTTPS, but there may be cases where HTTP is preferred. One example might be a large download where you can verify the hash afterwards, or interacting with old hardware&#x2F;software.

HTTPS (TLS v1.3) <i>does add ~100% overhead</i>. I personally prefer simple HTTP sites, but everyone is scared of &quot;Not Secure&quot; message in address bar ... So we all have to pay that penalty, even on static sites, easily checked against WayBack Machine or Tor service.

What if you don&#x27;t trust any certificate providers?

Having been around for a while I remember the concerns companies and sites had for the computer power required to serve https traffic.<p>They used to make SSL&#x2F;TLS and more accelerators you could slot into servers to make it faster.<p>As a devil&#x27;s advocate, I wonder how much energy the world would save by using HTTP, instead of HTTPS.<p>That is a hell of a lot of processing going on every single second globally.<p>The fatter and fatter and fatter websites get, the more compute is required to encrypt and decrypt everything.<p>Think of how much electrical power could be freed up and used for better things. &lt;&#x2F;s&gt;

If they serve ads via http - good luck now any ISP can put their own ads instead theirs and they will never know and will never get any money from it :)

Didn&#x27;t realize certificates are really free (according that that site), I&#x27;ve been paying GoDaddy $94.99 for a Standard SSL Renewal yearly.

&gt;&quot;I can&#x27;t afford a certificate.&quot;<p>&gt;They&#x27;re free.<p>May be free but is it still applicable on hosting providers like Godaddy?

This site needs translations for the intended audience. Looking at you Japan, South Korea, et al.

I haven&#x27;t signed up for a cert in a while, is some form of personal&#x2F;business validation still required? I&#x27;m just wondering if forcing HTTPS everywhere will make it difficult to anonymously own your domain in the future.

I really miss the days when EV certificates where highlighted in the address bar. I feel like nowadays it would be easier to get scammed, due things like unicode characters in URLs for example.

(2017)<p>some previous discussion: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=14753993" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=14753993</a>

While I agree with the premise. What is this about:<p>&quot;Our site displays ads over HTTP.&quot;<p>Sorry, not sorry.

Yes.

But it runs in my LAN.

Some counter-arguments from n-gate.com: <a href="http:&#x2F;&#x2F;n-gate.com&#x2F;software&#x2F;2017&#x2F;07&#x2F;12&#x2F;0&#x2F;" rel="nofollow">http:&#x2F;&#x2F;n-gate.com&#x2F;software&#x2F;2017&#x2F;07&#x2F;12&#x2F;0&#x2F;</a>

this seems to be ba marketing website made by the developer of caddy httpd

four letters in schema bad, five letters in schema good.