HTTPS for informational websites, yay or nay?

[fgm]

Would you move a purely informational website from HTTP to HTTPS even if there are no forms, logins or other sensible data?

Until now I've only used HTTPS when needed,  but the major browsers have started marking these websites as "Non secure" just because they are HTTP, so I'm considering to move to HTTPS

[mmerlinn]

Absolutely.

My site of about 14,000 purely informational pages was HTTP because I saw no reason for HTTPS. Even Google Webmaster said I had no security issues.

Then in July 2018 my inquiries started dropping from 5 or more per day.  A year later I was only getting 2 inquiries per WEEK, a horrendous drop from the year before. I knew there was something wrong, but it took me 10-1/2 months of digging before I found the problem. Chrome was flagging all of my pages as insecure.  Since Chrome has about 60% of the market, that flagging hit me hard.

Once I found the problem, it took me another six weeks to fix it.  On the last Monday of June 2019 I was finally up and working with HTTPS. Within ONE HOUR I had 5 inquiries, a far cry from the TWO inquiries the week before with HTTP. And ever since my inquiries have ranged from 5 to 10 PER DAY.

For purely informational pages there is no reason to have anything more costly than FREE LetsEncrypt security for a website.  However, not all hosts allow it to be used. GoDaddy, for example, WILL allow FREE LetsEncrypt, BUT they will charge you $175 per year and NOT allow you to install it yourself. As a result, I was forced to jettison GoDaddy as my host and moved to a host that includes FREE LetEncrypt security as part of their hosting plan.

Also, according to what I read, Chrome will BLOCK all HTTP pages starting next January. At that point over 60% of all potential visitors will NEVER be able to see your site.

[fgm]

Thanks for the information.  I run my own VPS so that's not a trouble.

[Jason Knight]

Yeah, when browsers started showing the warnings about https sites I was initially of the mindset "ignore that bull, it's just a scam to make you spend more money".. but then multiple attack vectors started showing up where https was the only answer.

What threw me into the camp of "just do it, go https" was LetsEncrypt being free, and it integrating so neatly into ISPConfig where setting it up is a simple matter of ticking off one checkbox.

No more dicking around on the command line with pages of esoteric badly documented instructions, just tick one checkbox and done? For free? At that point there's no reason not to.

With Google now down-ranking http pages, the news that Chrome is going to start blocking flat http pages (to an extent, you'll have to click through some warnings to unlock them), and the ease with which many back-ends now let you apply LetsEncrypt....

Do it.

Mind you, it does slow down page loads as encryption takes time on both ends, but newer technologies -- like HTTP 2 push and throwing more RAM at the server for larger cache settings -- can be leveraged to make up for that time in other ways.

[fgm]

What bothers me is that HTTPS breaks graceful degradation for the oldest browsers and obscure user agents. They are listed clicking on Not simulated clients in the SSL Labs test

Here there are the cipher lists recommended by Mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS

[nshep]

Consumers are getting more concerned about security indicators, therefore, I think being on HTTPS will be the standard in the future, no matter what kind of site you are running.

[mmerlinn]

What bothers me is that HTTPS breaks graceful degradation for the oldest browsers and obscure user agents. They are listed clicking on Not simulated clients in the SSL Labs test

Here there are the cipher lists recommended by Mozilla: https://wiki.mozilla.org/Security/Server_Side_TLS

I can't find the table of browsers and SSL support that I saw 6 months ago, but if I remember correctly any browser that supports SHA-2 can be secured with LetsEncrypt. That means FF back to FF2, and many others of the same era. As far as I know browsers earlier than that means you are SOOL accessing HTTPS. Granted, that sucks, but there is nothing that I know of that will change that. The worst part is that all of the accumulated knowledge on the web that is not HTTPS will eventually be lost forever.

[Jason Knight]

What bothers me is that HTTPS breaks graceful degradation for the oldest browsers and obscure user agents.

That was another of my worries, but given the security risks older browsers pose not just to the user, but also the websites they visit?

Increasingly I'm not sure I give a flying purple fish if it means IE 8/earlier users can't access the site. Oh noes, not that.

... and I used to be first in line for legacy UA support. But the pain of making pages work in the old crap, the security risks, and the just plain ignorance of users means we need a means of sending a VERY clear message on the subject:



What are these words, explain! EXPLAIN!!!

Particularly when browsers are freaking FREE.

Maybe if we shut them out for security reasons we can get some of the know-nothing penny-pinchers to let the IT guys install a bunch of Win 10 nettops to replace the Win 9x thin clients.. You know, the $25K in hardware the executives all pulling down seven figures said was too expensive?

True story of a friend of mine who does IT for a local health clinic, where their client database is still on a ASA/400.