A lot of the web is in a rush to HTTPS to not get marked as insecure in browsers such as Google Chrome. But, do you really _need _HTTPS on your site?
As usual, this depends on a lot of factors, and there is no one answer for everyone.
What HTTPS provides
Before you decide if you need HTTPS, it’s important to understand what it actually provides for both you and your users.
HTTPS utilizes TLS, or Transport Layer Security, to protect your website as it travels across the internet. It ensures that only the server and web browser of your visitor can see that particular session. All data the server sends is encrypted, and all requests from the browser to the server are also encrypted. This includes forms, which is especially important for things such as logins. Without TLS, the password is sent in plain text, meaning anyone can read it.
Saying that only the server and browser can see a session is a simplification. In reality, there _can _be servers in between, such as load balancers and proxies, i.e. Cloudflare. However, those services and/or load balancers must have a valid certificate, which is very hard to obtain if traffic isn’t set to flow through them.
On top of providing just encryption, TLS also provides data integrity. What this basically does is make sure the data being sent hasn’t been tampered with. This is done by generating sort of a summary with a hashing algorithm. Any change, even a literal computer “bit”, results in a completely different hash.
Integrity protects you even if an attacker manages to intercept your connection to a site, because they can’t see it(due to the encryption) or tamper with it. Any alterations to the data will be detected, meaning your ISP can’t try and mess with your traffic to inject ads or trackers.
On top of ensuring the data itself hasn’t been tampered with, HTTPS also makes certain that no attacker is in between a visitor’s internet connection and the website’s server. If there was no protection from this, all an attacker would need to do is replace the web server’s keys with their’s, and the browser would happily negotiate a secure channel with the attacker instead of the actual website. The attacker can then forward everything to the real site, collecting all the data that is entered in the meanwhile.
Luckily for the internet, a website’s authenticity is verified before users have a chance to send any private information over the connection. The certificate a website presents is verified with a third party, called a Certificate Authority(or CA), to ensure the website is legitimately the site it claims. If the certificate fails this check(i.e. a self-signed certificate), the user will be shown a big red warning, and likely not visit the website.
Unfortunately, the verification only works as long as the certificate hasn’t been manually approved on the computer you’re using. If you’re on a public computer, always make sure the certificate is issued by a legitimate certificate authority. When in doubt, Google the certificate authority. If no result related to a certificate authority pops up, someone could be snooping on your connection.
[caption id=”attachment_4289” align=”aligncenter” width=”484”] Checking the CA on Chrome(“Secure” badge in the URL bar -> Certificate)[/caption]
Enough with the learning, do I need it or not?!
Now that you understand what HTTPS does, you can make a more educated decision on whether or not your website needs it. If you already have HTTPS up and running, this post can still be used to answer your question of if you need HTTP to HTTPS redirects or not(or HSTS, but whatever ;) ).
What forms does your site have?
By forms, I mean HTML forms that send data to the server over the secured or unsecured connection. For many blogs, this will simply be the comments area, or contact form(s). Other websites will have logins that send the password over the connections. Some e-commerce sites will send credit card information to their servers. I said “some” because they could use a third party service which sends the info to that particular service and not directly to the website(useful if you don’t want to process credit cards yourself).
If you’re asking for any personal information on your website, you need HTTPS. If not, that data will be send in plain text, allowing anyone on the network to read it. Additionally, Google Chrome will display a “Not Secure” badge left of the URL.
However, if your website is “just” a blog, and all the forms you have are a comments section, and maybe a contact form, you don’t really _need need _HTTPS. It doesn’t really matter if anyone intercepts comments, because they’re available publicly anyways. The worst an attacker could do is get a person’s email, which isn’t exactly the end of the world.
What web host do you have?
If your web host provides a free SSL(ok, TLS) certificate for your site, there really isn’t a good reason _not _to. Many web hosts, even the ones that charge for a certificate, likely still let you upload a custom one in cPanel. You can get a Let’s Encrypt certificate yourself, and then upload it. Or, you can use Cloudflare, and present a signed certificate for users while having a self-signed certificate on the backend. You can even use Cloudflare Flexible SSL, which doesn’t even require HTTPS set up on the host at all!
However, using a proxy in front of your site, and/or manually renewing and uploading certificates isn’t exactly an ideal solution.
How much time do you spend working on your site?
If you just occasionally write a blog post, then setting up and maintaining HTTPS may not be worth it. However, if you’re writing a ton of long posts day after day, taking 15 minutes a month to renew your free Let’s Encrypt certificate can start to make a lot of sense.
It’s up to you
Unless you’re running an e-commerce or membership site, HTTPS likely is not _required _for your site. However, with more and more easier solutions becoming available by the day, and many hosts offering a one-click free SSL certificate, there’s really less and less of a reason not to make the switch. There’s also the problem of the Chrome browser, which will slowly begin showing more and more prominent “Not Secure” warnings on HTTP sites.
I use HTTPS because there’s really no reason not to for me. That doesn’t mean everyone needs to switch now though. Let me know what you decide on doing in the comments!