HTTPS: Secure by design
HTTPS. You’ve heard of this right? Think of it as your guardian encryption angel while you’re browsing the web, protecting you from all the evil gremlins that want to steal your data. You can spot whether it’s active on a particular webpage by looking at the URL. At the start of the web-address it should both show the https text and a lock/secure sign to ensure that you’re fully protected as you’re transmitting data over the internet.
But as we all know, only a few specific types of websites actually have this protection in place; you know the drill – shopping sites, banking etc, basically the sites where the most sensitive of financial transactions are carried out. And that’s all you really need it for. The standard HTTP is fine for all the other websites, right?
Even if there’s no sensitive data transmitted directly through a website, that site is still a liability under HTTP! Just because your site is hosted safely in your account doesn't mean it won't travel through cables and boxes controlled by who knows how many corporate- and state-owned entities. Do you really want someone injecting scripts, images, or ad content onto your page so that it looks like you put them there? Or changing the words on your page? Or using your site to attack other sites? This stuff happens. A LOT. And HTTPS prevents all of it. It guarantees content integrity and the ability to detect tampering. If we encrypt only secret content, then we automatically paint a target on those transmissions. Keep which of your transmissions contain secrets secret by encrypting everything.
It’s simple, free and fast. Use it!
Something that’s going to increase HTTPS adoption at an even faster rate are the upcoming changes to Google’s extremely popular web browser Chrome. As you can see in the image below, at the moment, a website is deemed “not secure” if not using HTTPS in incognito mode. However, this will also be the case in the normal browsing mode from Version 62 onwards. That means every single time you open a webpage not using HTTPS, it’ll be made VERY obvious next to the URL that the page is unsecure.
The world is moving rapidly towards a “secure by design” approach to web applications and you cannot afford to be left behind. The bottom line is this: if you're serving anything over an insecure connection you need to be planning how you're going to go HTTPS by default NOW. Life is about to get a whole lot harder if you don’t.