top | item 43456117

(no title)

jtafurth | 11 months ago

I worked for an authority that issued digital certificates for SSL and digital signatures. It's not only about providing encryption but also about trust, when a top level entity issues a SSL certificate, a number of identity validations are carried out, adding an extra layer or confidence on that website.

This may seem inconsequential for static websites without PII, however most browsers consider it important as it reduces the risk for all parties involved when encrypted communication is used and the content providers has taken basic steps for Identity verification.

There are logic flaws with this approach to security imo, but it's the most commonly used technique at the moment.

discuss

sergiotapia|11 months ago

you didn't answer the _why do we need all that for a drum beat making website_?

jdiez17|11 months ago

Unauthenticated http is a vector for opportunistic malware. They don’t target specific websites, just inject evil.js wherever.

nklymok|11 months ago

At least so that login / register data don't go to the middle man.

otabdeveloper4|11 months ago

You don't. But you will be penalized by Big Co for not supporting https.

(It's effectively a "doing business on the Internet" tax. Thankfully not that expensive for small hobby projects now.)