Until recently, I did not realize that https is important for ALL sites, not just for sites containing sensitive information, login pages, banking websites, shopping pages pages. The eye-opener for me was Troy Hunts article about this same topic. Troy talks about a Bank having their landing-page http only - while forwarding to https for the login. The problem Troy points out is that the link to the secure login-page can be intercepted / modified / redirected to any other site by anyone able to MitM your connection (ISP, Coffee shop, malicious actor on open Wifi, VPN Provider, …).
While https will not fully solve this (things like ssl strip can still be applied but can be spotted fairly easy), it does increase the complexity for the (malicious) actor to redirect you to the wrong site.
Honestly, I completely agree with Troy’s post. I did not realize the importance (other than for privacy protection) before his post, but it was eye-opening to me and showed me that https has to be applied everywhere to be effective.
People, apply https everywhere - with Let’s Encrypt it does not cost a penny and is easy to configure for almost every server setup.
comments powered by Disqus