|
Let's say I have a large content-only site; no login or logout, no usernames, no email addresses, no secure area, nothing secret on the site, nada. People just come to the site and go from page to page and look at content. Besides a slight bump in SEO from Google (very slight, from what I've read), is there any benefit of forcing the site to load via HTTPS? |
|||||||||||||||||||||
|
|
HTTPS does not just provide secrecy (of which you are doubting the value, though there are good reasons for it still) but also authenticity, which is always of value. Without it, a malicious access point/router/ISP/etc. can rewrite any part of your site before displaying it to the user. This could include:
Failure to protect your users from these things is irresponsible. |
|||||||||||||||||
|
...According to you. Maybe you are a competitor to someone's boss and he likes his/her boss not knowing. It creates privacy. You might think it's insignificant, or maybe it's not a big deal now but could be at another point in time. I am a firm believer that no-one apart from me and the website should know what I'm doing. It creates trust. Having the padlock is a sign of security and it can signify some degree of skill regarding the website, and thus your products. It makes you less of a target for e.g. MitM attacks. Security increases. With initiatives like Let's Encrypt, which make it a lot easier and free, there aren't many downsides. CPU power taken up by SSL is negligible these days. |
|||||||||||||||||||||
|
|
It prevents man in the middle attacks that make you think you are visiting your site but present a page that is actually from another and may attempt to get info from you. Since the data is encrypted, it also makes it more difficult for an attacker to manipulate the page as you see it. Because you need a SSL certificate, that verifies you are the owner of the site at a minimum giving at least some verification of who you are. |
||||
|
|
|
(Parts taken from my answer to a similar question.) HTTPS can achieve two things:
Probably everyone agrees that HTTPS should be mandatory when transmitting secrets (like passwords, banking data etc.), but even if your site does not process such secrets, there are several other cases where and why the use of HTTPS can be beneficial. Attackers can’t tamper with requested content.When using HTTP, eavesdroppers could manipulate the content your visitors see on your website. For example:
HTTPS can prevent this. Attackers can’t read requested content.When using HTTP, eavesdroppers can learn which pages/content on your host your visitors access. Although the content itself may be public, the knowledge that a specific person consumes it can be problematic:
This, of course, depends on the nature of your content, but what seems to be harmless content to you can be interpreted differently by other parties. Better be safe than sorry. HTTPS can prevent this. |
|||||||||||||
|
|
Marketing firms like Hitwise pay ISPs to gather data about your site when you don' use SSL. Data about your site gets collected which you might rather not have your competitors know:
|
|||
|
|
|
You get HTTP/2 support, the new web standard designed to significantly improve website loading speeds. Because browser makers have chosen to support HTTP/2 only over HTTPS, enabling HTTPS (on a server that supports HTTP/2) is the only way to get this speed upgrade. |
|||
|
|
|
Besides the benefits mentioned by others there is one reason that will make you switch to SSL unless you don't care about your visitors that use Chrome - the new versions of Chrome (starting from the end of the year as far as I remember) are going to show a warning (which will drive away users from your site) by default for all sites that aren't using HTTPS. //EDIT: Here are links to two more detailed articles, though I can't seem to find the one I've read about when they're planning to officially introduce the feature: http://www.pandasecurity.com/mediacenter/security/websites-that-arent-using-https/ |
|||||||||||||||||
|
