DNN Blogs

Written for the Community, by the Community

Why EVERY site should be secured by HTTPS

Written By Michael Tobisch
2019-07-17

A short story

Let me tell you what happened last Easter when I spent some days off in Bamberg, a town in Franconia, Germany. I rented a nice appartement not far from the center, that I found - guess - on the Internet. Their website was not secured, anyway it was a static website with nothing on it but texts and pictures.

One evening I was sitting together with the host, drinking some of the famous beers they have in this region and told him that he should change his website to HTTPS, as it is not secure. He was not a technician, and to be true, I think he had not too much idea of what I was talking about. The next morning, his son in law came up to me, he was the one who "made" the site (years ago). He asked me about what I told the host the other day and said "Why for this site? There is no form, no submission or storage of personal data, not even a database in the background. So why do you think we should do this?"

My answer was: "Because the newer versions of Chrome show a big red warning that the site is not secure if you don't, and Firefox and Edge will do so as well soon, I am sure. Imagine how potential non-tech clients will react when they see this. Do you really believe that anyone would stay on the site when the browser says that it is not secure? So it raises trust, and the chances are better that they book. And because it is for free, and there is not much work to implement it. And finally, because it affects search ranking."

He understood. In the evening, the site was on HTTPS. And as I am a really lousy salesman... OK, the host invited me for the beers the day before.

 

Are these the only reasons?

No. Even for a site that does not contain anything sensitive, and you think it is safely stored on your server - it travels the world through cables, satellites, routers, everything - and these are not controlled by you. When the communication between your site and the browser is not encrypted, anyone could inject scripts, images or ads, and it looks like you put them there. There actually have been cases where a hotel, an airline or an ISP injected content in sites visited by their customers - and these are not the only ones. HTTPS can prevent this, and therefore guarantee the integrity of your site.

Often I hear the argument that domain validated certificates (as issued by Let's Encrypt) are not secure, and EV certificates cost a lot of (or actually too much) money. As the second part of this sentence is correct, the first part is - excuse me - bullshit. In fact, they are as secure as any certificate, as the cryptography is the same in both. There are highly regarded security experts stating that EV certificates are dead. Everything you have to care about is not loosing control over your DNS, and choose a competent certificate authority.

In my session at DNN Connect 2019 in Champéry in Switzerland I mentioned a little device called WiFi Pineapple. This little device works as a WiFi access point, but is able to trick other devices into "thinking" it's a known network that they automatically connect to without any user interaction whatsoever.

Someone told me a while ago that his site uses ads delivered over HTTP and using HTTPS would cause browser warnings about mixed contents. While this is true - it is no reason to not using HTTPS for your site. To avoid the browser warnings convince your ad network to move to HTTPS as well (better before you do), and when they do not show understanding (most of them will, or better said most of them have already done so) find a way to step out of the contract and choose another ad network.

Finally

Would you like to end up in this statistic? ;-)

Total: 3 Comment(s)
If your website has SSL in place but you get an exclamation mark in the url line instead of a padlock most likely you have an image or two in the code still calling to http instead of https. Here is a great free tool for finding those. https://www.whynopadlock.com/
Wednesday, August 14, 2019 ·
Bruce, this is correct. But instead of searching such links it is much easier to implement HSTS (HTTP Strict Transport Security), which enforces the browser to upgrade insecure requests. See https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
Monday, August 19, 2019 ·
Thank you for the advice, this was very useful!
Friday, December 20, 2019 ·

Would you like to help us?

Awesome! Simply post in the forums using the link below and we'll get you started.

Get Involved