The explanation I've seen before is that it doesn't really matter for websites that don't _want_ anything from you. No credentials, no login forms, no text entry fields.
> The explanation I've seen before is that it doesn't really matter for websites that don't _want_ anything from you. No credentials, no login forms, no text entry fields.
Still worth creating a bit of a shield between you and the site to make it just hat much harder for anybody in the middle to inject anything / change anything.
Back before Lets Encrypt made it inexcusable to not have https, it was a common-ish prank to MITM all the HTTP traffic you could see and do something harmless like rotate images 180 degrees.
Without TLS, sometimes still referred to as SSL, a webite's content can be modified by anyone controlling the network path. This includes ISPs and WiFi operators.
Sure, your website may have unimportant stuff on it that nobody relies on, but do you want visitors to see ads in your content that you didn't put there?
> Maybe there are edge cases associated with this?
Plenty. There are a lot of information-only websites where you might want to keep your visit to yourself.
To give an obvious example: some parts of the United States are trying very hard to make abortion impossible. The state government could mandate that ISPs MitM your traffic, and alert the police when you visit a website giving you information about the legal abortion clinics in a neighboring state. Guess you'll be getting a home visit...
The same is going to apply with looking up info on LGBT subjects, civil rights, Tiananmen Square, a religion not explicitly allowed by the state, whether Eurasia has always been at war with Oceania, and so on. Heck, even a seemingly innocent website visit could theoretically come back to haunt you years later. Just some bored scrolling on Wikipedia? Nope, you were planning a crime - why else were you reading pages about chemical warfare during WW I? That neighbor who died due to mixing bleach and ammonia was obviously murdered by you.
If it's unencrypted, you should assume it's being logged by someone nefarious. Are you still okay with it?
Without TLS, people (service providers and intermediaries) can tell what pages I'm reading on your site. They can make the kind of inferences from these that get people convicted at trial.
TLS is more important on sites that are just serving information. It's easy to reconstruct your train of thought as you click around.
Librarians have fought (and lost) to defend our privacy to read.
In addition to what everyone else has said, having everything be encrypted means encryption isn't "special", there's no metadata that indicates that the communication contains secret data due to encryption. If people don't encrypt non-sensitive traffic, then sensitive traffic stands out. So there's a sort of civic duty element to enabling TLS (or using encrypted messaging, etc.).
The website might not be designed to have credentials or login forms, but now you have allowed attackers to place fake login forms on your website. And given the prevalence of password reuse for the general population, attackers can easily harvest real passwords this way.
Not to mention injected ads which used to be very common in the late 2000s.
I used to think that, but at this point the Internet is sufficiently hostile that it's everyone's responsibility to encrypt everything all the time to reduce the utility to bad actors to zero.
It's a little bit like using Tor for some of your ordinary browsing (which I do) so that spy agencies can't infer everyone using Tor is doing something wrong.
yjftsjthsd-h|9 months ago
guyzero|9 months ago
branon|9 months ago
Maybe there are edge cases associated with this?
baby_souffle|9 months ago
Still worth creating a bit of a shield between you and the site to make it just hat much harder for anybody in the middle to inject anything / change anything.
Back before Lets Encrypt made it inexcusable to not have https, it was a common-ish prank to MITM all the HTTP traffic you could see and do something harmless like rotate images 180 degrees.
justin_oaks|9 months ago
Sure, your website may have unimportant stuff on it that nobody relies on, but do you want visitors to see ads in your content that you didn't put there?
crote|9 months ago
Plenty. There are a lot of information-only websites where you might want to keep your visit to yourself.
To give an obvious example: some parts of the United States are trying very hard to make abortion impossible. The state government could mandate that ISPs MitM your traffic, and alert the police when you visit a website giving you information about the legal abortion clinics in a neighboring state. Guess you'll be getting a home visit...
The same is going to apply with looking up info on LGBT subjects, civil rights, Tiananmen Square, a religion not explicitly allowed by the state, whether Eurasia has always been at war with Oceania, and so on. Heck, even a seemingly innocent website visit could theoretically come back to haunt you years later. Just some bored scrolling on Wikipedia? Nope, you were planning a crime - why else were you reading pages about chemical warfare during WW I? That neighbor who died due to mixing bleach and ammonia was obviously murdered by you.
If it's unencrypted, you should assume it's being logged by someone nefarious. Are you still okay with it?
pessimizer|9 months ago
TLS is more important on sites that are just serving information. It's easy to reconstruct your train of thought as you click around.
Librarians have fought (and lost) to defend our privacy to read.
https://www.ala.org/advocacy/intfreedom/privacyconfidentiali...
SAI_Peregrinus|9 months ago
kccqzy|9 months ago
Not to mention injected ads which used to be very common in the late 2000s.
immibis|9 months ago
It's a little bit like using Tor for some of your ordinary browsing (which I do) so that spy agencies can't infer everyone using Tor is doing something wrong.
AStonesThrow|9 months ago
I consider the integrity of messages to-and-from the web to be very important.
Many of us lived through days when ISPs or some other greedy middleman injected ads into unsecured web pages. They played DNS tricks too.
Imagine if you had an app download that could be maliciously modified in-flight.
Furthermore, a certificate can guarantee you’re not connected to an imposter. What if the TFA link was redirected to “abevigoda.com”? Catastrophe!