DNN Blogs

Written for the Community, by the Community

Why EVERY site should be secured by HTTPS

Written By Michael Tobisch
2019-07-17

A short story

Let me tell you what happened last Easter when I spent some days off in Bamberg, a town in Franconia, Germany. I rented a nice appartement not far from the center, that I found - guess - on the Internet. Their website was not secured, anyway it was a static website with nothing on it but texts and pictures.

One evening I was sitting together with the host, drinking some of the famous beers they have in this region and told him that he should change his website to HTTPS, as it is not secure. He was not a technician, and to be true, I think he had not too much idea of what I was talking about. The next morning, his son in law came up to me, he was the one who "made" the site (years ago). He asked me about what I told the host the other day and said "Why for this site? There is no form, no submission or storage of personal data, not even a database in the background. So why do you think we should do this?"

My answer was: "Because the newer versions of Chrome show a big red warning that the site is not secure if you don't, and Firefox and Edge will do so as well soon, I am sure. Imagine how potential non-tech clients will react when they see this. Do you really believe that anyone would stay on the site when the browser says that it is not secure? So it raises trust, and the chances are better that they book. And because it is for free, and there is not much work to implement it. And finally, because it affects search ranking."

He understood. In the evening, the site was on HTTPS. And as I am a really lousy salesman... OK, the host invited me for the beers the day before.

 

Are these the only reasons?

No. Even for a site that does not contain anything sensitive, and you think it is safely stored on your server - it travels the world through cables, satellites, routers, everything - and these are not controlled by you. When the communication between your site and the browser is not encrypted, anyone could inject scripts, images or ads, and it looks like you put them there. There actually have been cases where a hotel, an airline or an ISP injected content in sites visited by their customers - and these are not the only ones. HTTPS can prevent this, and therefore guarantee the integrity of your site.

Often I hear the argument that domain validated certificates (as issued by Let's Encrypt) are not secure, and EV certificates cost a lot of (or actually too much) money. As the second part of this sentence is correct, the first part is - excuse me - bullshit. In fact, they are as secure as any certificate, as the cryptography is the same in both. There are highly regarded security experts stating that EV certificates are dead. Everything you have to care about is not loosing control over your DNS, and choose a competent certificate authority.

In my session at DNN Connect 2019 in Champéry in Switzerland I mentioned a little device called WiFi Pineapple. This little device works as a WiFi access point, but is able to trick other devices into "thinking" it's a known network that they automatically connect to without any user interaction whatsoever.

Someone told me a while ago that his site uses ads delivered over HTTP and using HTTPS would cause browser warnings about mixed contents. While this is true - it is no reason to not using HTTPS for your site. To avoid the browser warnings convince your ad network to move to HTTPS as well (better before you do), and when they do not show understanding (most of them will, or better said most of them have already done so) find a way to step out of the contract and choose another ad network.

Finally

Would you like to end up in this statistic? ;-)

Published
2019-07-17
Share
Written By
Michael Tobisch
I am an experienced ASP/ASP.Net programmer and using DotNetNuke since some early 3.x version. The main focus of my work is custom modules and integration, SQL Server optimization and security. I have contributed to the community for a long time by answering questions, trying to help people in the forums and the Community Exchange, in workshops etc. I was involved in various DNN events as a speaker, e.g. DNN Connect 2023, Champéry, Switzerland (2023), DNN Connect 2022, Millau, France (2022), DNN Connect 2019, Champéry, Switzerland (2019), DotNetNuke 7 Roadshow, Munich, Germany and Vienna, Austria (2013), German Usergroup Meeting, Stuttgart, Germany (2011), European Day of DotNetNuke, Paris, France (2010), and German Usergroup Meeting, Berlin, Germany (2010). In 2020 and 2021 I was the local co-organizer for the DNN Connect conference (planned in Obergurgl/Austria and cancelled due to the COVID-19 pandemic :-( ) I am also an active member in the DNN Connect Association and the German Speaking Usergroup. I have been a DNN★MVP since 2013.
Tags
HTTPSSecuritySSL
Total: 3 Comment(s)
Bruce Jones
Bruce Jones
If your website has SSL in place but you get an exclamation mark in the url line instead of a padlock most likely you have an image or two in the code still calling to http instead of https. Here is a great free tool for finding those. https://www.whynopadlock.com/
Wednesday, August 14, 2019 ·
Michael Tobisch
Michael Tobisch
Bruce, this is correct. But instead of searching such links it is much easier to implement HSTS (HTTP Strict Transport Security), which enforces the browser to upgrade insecure requests. See https://scotthelme.co.uk/hsts-the-missing-link-in-tls/
Monday, August 19, 2019 ·
Alex Rinaldi
Alex Rinaldi
Thank you for the advice, this was very useful!
Friday, December 20, 2019 ·

Would you like to help us?

Awesome! Simply post in the forums using the link below and we'll get you started.

Get Involved