Troy Hunt has put together a video that demonstrates various ways that traffic coming from an unencrypted web site can be dicked around with, for various nefarious purposes, using a technique called a Man In The Middle (MITM) attack.
You can usually tell if a web site is encrypted by looking at your web browser’s address bar. For example, URLs for this web site (boot13.com) should appear in the address bar with a lock, followed by
https:// rather than the unencrypted
http://. If you try to access any part of this site using
http://, you’ll be redirected to the equivalent
Although the video does get a bit technical, it’s worth watching all 24+ minutes. You should understand enough of it to see the danger.
Perhaps the most interesting of Troy’s observations is that encrypting a web site doesn’t really provide any direct benefit to the site’s owner. This is not about protecting your web site; it’s about protecting its visitors. In other words, encrypting your web site is an act of altruism.
After watching Troy’s video, I immediately started an evaluation of all my own web sites, as well as those of clients, to make sure that all traffic coming from them is encrypted. Most are already using HTTPS, but some don’t force the use of HTTPS.
Troy Hunt’s video
If you run a web site, you should realize by now that there’s no good reason to avoid turning on encryption. It’s also easier than ever, and — thanks to Let’s Encrypt — no longer has to cost anything. The HTTPS Is Easy video series is a good starting point if you’re not sure how to proceed.
Update 2018Aug08: Sadly, people in remote and underserved locations are having a lot of trouble accessing sites via HTTPS. While that certainly sucks for them, I’m confident that solutions to the specific technical issues involved will be found.
One thought on “A strong case for encrypting all web sites – even simple ones”