Ask HN: Do we need secure connection for websites?

2 pointsj1br2y ago4 comments

I do understand the benefit of secure connection which makes requests encrypted between the user and the server but why do we usually have https for websites that doesn't contain any signing up or transferring sensitive info, just normal html.

for instance, this website http://three-eyed-games.com/2018/05/03/gpu-ray-tracing-in-unity-part-1/ does it need to implement ssl certificate?

4 comments

PaulHoule2y ago

For one thing without SSL the connection can attacked by a man in the middle and something harmful could be injected in that site.

That particular content is innocuous but you’d better believe there is some static web site you could visit that could get you in trouble with some government somewhere.

It’s not so clear what might be sensitive somewhere (maybe your work doesn’t want you wasting time reading stuff like that when it has nothing to do with your job.). If all sites are encrypted, not just the sensitive ones, the job of mass surveillance becomes a lot tougher.

The Snowden revelations were no surprise to me, the NSA was founded to do exactly that. SSL became popular because of mass surveillance being perceived as a threat, it is not just the NSA, other countries like Russia, France, Israel, Iran, etc. would do the same as well as organized crime groups, “hackers” and such.

orbz2y ago

And before anyone says this is hypothetical: many ISPs have already been caught injecting advertisements, malware and tracking into websites.

LinuxBender2y ago

Others will add the technical reasons that doing so is best practice but I would just add that if one does not want skeptical visitors then HTTPS must be used to avoid browser warnings. Most browsers today will warn the visitor something is wrong if using unencrypted HTTP as a matter of covering the lowest common denominators and not trying to guess if a site has sensitive data. With exception of Tor hidden sites, the days of unencrypted HTTP are behind us and even that exception may get covered should LetsEncrypt decide to handle .onion similar to Harica [1]

[1] - https://blog.torproject.org/tls-certificate-for-onion-site/

cowsup2y ago

HTTPS also prevents your ISP, your government, or other people on your network from viewing (or, in rare cases, modifying) the pages and content that you browse.

So no, a blog post talking about ray tracing doesn't inherently need to have HTTPS, but it's a good practice for any and all websites to implement it, to protect user privacy and prevent tampering. Nothing bad is likely to happen if you read that site, though, so don't worry about it if you're just a regular user.

j / k navigate · click thread line to collapse