
Why Your Static Website Needs HTTPS (2018) - codesections
https://www.troyhunt.com/heres-why-your-static-website-needs-https/
======
tristador
The recommendation of Cloudflare here seems poor. Using CF to make an HTTP
only site support HTTPS will only prevent MITM between CF and the end user.
MITM between my server and CF is not improved as it's still HTTP. Yes, you can
add a self signed cert and tell CF not to check the cert validity, but that
doesn't prevent MITM.

Worse, Cloudflare can inject JavaScript into your site. The default settings
will show Captchas to users if CF thinks they are not trustworthy. So you end
up with MITM anyway if you aren't careful. For a static site, does a captcha
really make sense? Cloudflare makes the internet worse with insane defaults
like this.

[https://community.cloudflare.com/t/getting-cloudflare-
captch...](https://community.cloudflare.com/t/getting-cloudflare-captchas-
every-website-i-visit/9277) [https://www.techrez.com/remove-cloudflare-
challange-page/](https://www.techrez.com/remove-cloudflare-challange-page/)

~~~
hombre_fatal
Then again, the defaults of the internet let anyone remove you from it with a
$5 booter and your data is in cleartext and your MITM is every ISP + any hop
in between instead of just your reverse proxy.

Takes defaults far more insane than Cloudflare to do worse than the internet
status quo.

~~~
beamatronic
Sorry, what is a “$5 booter”?

~~~
zzzcpan
Automated service for issuing DDoS attacks.

------
MaxBarraclough
I was disappointed the article is so thin on real substance. It could have
listed out the reasons to always use HTTPS. Easily done:

1\. Privacy matters. A medical website, or indeed Wikipedia, should prevent a
snooping ISP from finding out you have been reading about an embarrassing
condition. This is similar to the way librarians are extremely protective of
their loan records [0]. Netflix use HTTPS for their streams, for the same
reason (it does nothing to aid their DRM, it's purely about privacy) [1].

2\. HTTPS prevents ads/trackers/malware being injected into the page by
unscrupulous ISPs (this really has happened [2])

3\. Modern browsers will (rightly) warn users not to trust the site. This
makes the site look bad.

4\. Some fancy browser features are disabled if you use unencrypted HTTP.
Likely irrelevant for a static site though.

5\. Let's turn the tables and ask why you wouldn't use HTTPS for a public-
facing web server. There are just 3 reasons:

* Reduced admin overhead not having to bother with certs

* It enables caching web proxies, which is only relevant if you're running a serious distribution platform like Steam, or a Linux package-management repo [3]

* Better support for very old devices, such as old smartphones in the developing world

[0] [https://www.theguardian.com/us-news/2016/jan/13/us-
library-r...](https://www.theguardian.com/us-news/2016/jan/13/us-library-r..).

[1] [https://arstechnica.com/information-technology/2015/04/it-
wa...](https://arstechnica.com/information-technology/2015/04/it-wa..).

[2] [https://doesmysiteneedhttps.com/](https://doesmysiteneedhttps.com/)

[3] [https://whydoesaptnotusehttps.com/](https://whydoesaptnotusehttps.com/)

(Taken from an old comment of mine at
[https://news.ycombinator.com/item?id=21912817](https://news.ycombinator.com/item?id=21912817)
)

 _Edit: Added the third reason not to use HTTPS_

~~~
Jenda_
ad. 5 - There are more. For example:

* You don't like the Let’s Encrypt Subscriber Agreement, for example the part about indemnification and attorneys' fees.

* Your domain name is on Let's Encrypt blacklist ([https://community.letsencrypt.org/t/name-is-blacklisted-on-r...](https://community.letsencrypt.org/t/name-is-blacklisted-on-renew/9012/6), [https://community.letsencrypt.org/t/domain-blacklist/106374](https://community.letsencrypt.org/t/domain-blacklist/106374)), though they now seem to un-blacklist most cases on email request.

I think the problem is that there are little alternatives to LE.

~~~
MaxBarraclough
I'm not sold on either of these objections. Let's Encrypt is not the only CA.
If you don't like the free CA, pay to use another one.

If I see unencrypted HTTP on a website, I immediately think less of that
website. It's a _Good Thing_ that the web has got to this point. Quibbles
about Let's Encrypt's terms don't strike me as convincing.

> I think the problem is that there are little alternatives to LE.

But there are. Again, there's a whole marketplace of CAs to choose from.

If anything, there are too many CAs trusted by today's browsers.

------
robrtsql
The exchange between Troy Hunt and Jacob Baytelman is a little aggravating for
me--they appear to be talking past each other.

Jacob challenges him to "hack [his] static blog". I don't know what 'hacking a
website' means to him, but to you and me it probably means compromising the
web server, which is not directly related to HTTPS (although I can think of a
lot of ways that the use of HTTP could lead to a web server being
compromised).

Troy responds by taking him up on this challenge, accuses Jacob of thinking
that his site is immune from transport layer risks, and then performs a man in
the middle attack on himself using Jacob's site (when in reality literally any
HTTP site could have been used).

It's like these two are having completely separate conversations.

~~~
jrajav
If you read the Twitter exchange leading up to the 'challenge accepted' tweet
linked in the article
([https://twitter.com/troyhunt/status/1014736960542289922](https://twitter.com/troyhunt/status/1014736960542289922)),
it's clear that the context of 'hack' is specifically about man-in-the-middle
injections. That is, hacking his static blog as it is served up to users.

And arguably, the fact that nearly any HTTP site could have been used for the
demo is partly the point.

~~~
baddox
It’s clearly not clear to Jacob, since he eventually says “I am afraid you
will only demo MITM attack on the traffic.”

------
jpxw
Certbot and LetsEncrypt make this a trivial process these days. Takes 15
minutes to set up and is free. Why not use it?

~~~
arlk
or Cloudflare. Just a couple origin hits and your site is served via CDN for
free, fast and secure.

~~~
tasogare
Definitively no. I set up my own personal page on a VPS precisely to avoid
LinkedIn, Google Scholar, Research Gate or any third party service being in
control of my public face. Using another service would defeat that purpose.

~~~
pmontra
You are probably using a VPS running on someone else server, through many
networks. (So do I.) Any of those can MITM your traffic. Maybe you're also
using apt/yum to keep the VPS up-to-date. Is adding Letsencrypt to the list
such a burden? Or maybe you're only against Cloudflare. I go with Letsencrypt.

------
djsumdog
The first time I saw a mobile/prepaid ISP inject their notices on my own
personal website, I realize I needed to get off my lazy ass and setup
LetsEncrypt.

------
mmphosis
CITM - detected Corporations In The Middle (CITM) attack. requests blocked
15%, cdn.example.com dnjs.cloudyfaire.com troymcclure.disqus.com
fonts.noodleapis.com fonts.noodlestatic.com platform.example.com
noodletube.com example.com

https is easy. point everything DNS everything to cloudyfiare and click
Purchase and by clicking Purchase agree to all the terms (but don't actually
read any of them.) hand over root access to a program with the word bot in it,
and allow it to update itself automatically (what could possibly go wrong.)
Everything HTTPS all the time.
[https://en.wikipedia.org/wiki/DigiNotar](https://en.wikipedia.org/wiki/DigiNotar)

call me skeptical, or the many ( [https://slate.com/technology/2020/01/what-
to-know-about-the-...](https://slate.com/technology/2020/01/what-to-know-
about-the-controversy-over-the-sale-of-org.html)
[https://www.zdnet.com/article/kazakhstan-government-is-
now-i...](https://www.zdnet.com/article/kazakhstan-government-is-now-
intercepting-all-https-traffic/)
[https://en.wikipedia.org/wiki/DNS_over_HTTPS#Criticism](https://en.wikipedia.org/wiki/DNS_over_HTTPS#Criticism)
) many reasons Why My Static Website No Longer Exists.

------
zelly
Devil's advocate: HTTPS centralizes the web around big players. The CA trust
model gives a privileged few the right to say what websites are "secure", even
in cases where no user input goes down the wire. "Not Secure" in the top left
brands and shames amateurs. _Come on, just make a Medium page! You should be
posting this on a FAANG property!_ Let's Encrypt is great, but don't forget
that it could disappear overnight--after every browser started de facto
blocking non-HTTPS traffic.

~~~
jagged-chisel
How does Let's Encrypt fit into this? Are they part of the 'privileged few?'
Can we trust part of The Few more than other parts?

~~~
zelly
They have even more power than the paid ones, because the most of sites they
secure wouldn't/couldn't get a paid cert if Let's Encrypted disappeared or
refused to serve them. At least the customers of paid ones could just move
their billing to another service.

~~~
iso947
I would be more comfortable if there were several acme based free certificate
providers

However I’m far more concerned about chrome, and the attitude of so many in
the biz that think Firefox should be mothballed.

------
pmlnr
> HTTPS Is Easy

It is not easy at all. Getting a certificate and putting it into the conf is.
Maintaining that certificate, applying the ever growing number of "security"
headers, dealing with broken stapling, is anything, but easy.

~~~
sdoering
Strange. Once per week I receive a mail from a cronjob telling me my
certificate(s) are renewed. So for me the original statement holds.

------
henvic
Back in early 2009, I was launching a file storage web service similar to
Dropbox (without the client, but with an API with OAuth 1 support) using AWS
Ec2 and S3. I planned to use HTTPS, but it was expensive for me (as a college
dropout), and the website is still online without it. I abandoned the project
afterward. Recently, I started to migrate it from AWS to Google Cloud
Platform, and one of the goals was to add HTTPS to it. However, I haven't had
much time to finish the migration, and it's still not being served as HTTPS
(even though it has all other sorts of protection that were the norm back
then). I wonder how many other "legacy websites" have a similar issue (which I
don't find justifiable for anything 'in production').

~~~
willis936
Have you tried let’s encrypt a la certbot? It wasn’t a painless process when I
did it but I do have autorenewing “green lock” SSL certs for free.

~~~
henvic
Yes, I have.

Let's Encrypt ACME challenge resolved this from now on. However, I'm using a
really old machine + OS, and the nginx version I'm running is old enough not
to be compatible with it. So, instead of having a hard time updating the
server, I decided to migrate the site to a newer machine (even because some
AWS technical limitations don't let me migrate to a new instance type).

~10 years ago I slacked in getting an HTTPS certificate as this would have
meant a lot of money.

~ Today, I want to use the ACME challenge with Let's Encrypt (no need of OV
for a portfolio website), but I never find the time to finish the migration
(that should take more 4 to 16 hours).

~~~
Jenda_
There are ACME clients written in Python 2 or even pure shell -- should work
even on very old systems (but not older than ~2010, you need openssl with
TLS1.2 support).

I personally prefer them even on current systems, as I don't really like the
"automagic" nature of certbot.

------
zxcvbn4038
This article is two years old - think it’s been well established that sites
need https, if for no other reason then browsers and search engines punish you
in a variety of ways for not having it. Certificates are free with let’s
encrypt so there is no excuse not to anymore.

In the case of Cloudflare (or any CDN) best practice is to reject requests not
from the CDN. Cloudflare doesn’t support AWS S3 compatible storage directly -
it won’t make signed requests - but you can write IAM policy that only
responds to certain IP.

~~~
tristador
Here are those IP addresses. Just know that the list can change over time, so
you'll want to update your IAM policy.

[https://www.cloudflare.com/ips/](https://www.cloudflare.com/ips/)

------
tristador
Note: 2018.

Troy talks about a tipping point, which was Jan 2017.

------
jstewartmobile
HTTPS PR is not the internet's defense against hackers. It's FAANG's defense
against Comcast and AT&T.

------
pragnesh
I have found one of isp used to inject ad on http page and user has no idea
how this popad apear. http protocol need to die.

------
tristador
> In one of many robust internet debates (as is prone to happen on Twitter)

Maybe I just don't get Twitter. Every time I look at a thread it starts with
some coherent conversation, but then devolves into a bunch of tangents that
don't coherently follow each other.

HN and similar seem much better suited.

~~~
hombre_fatal
Makes a lot of sense when you acknowledge that we like the dopamine release of
arguing. Twitter consolidates an argument into just the parts you mean and
read anyways. But you'll just find long form of the same exact thing on
message boards and Reddit.

------
ronyfadel
I’m stuck in a related situation: I own a website with heavy traffic that
contains inline iframes to some http pages (about 30% of pages) hosted by
third parties. I can’t turn https on for my website, otherwise these iframes
would be blocked by the browser. Since I don’t offer https, it means that I
can’t offer features such as login/sign up etc.. Any ideas?

~~~
cheez
Proxy the iframes through your own server.

~~~
ronyfadel
Would be very bandwidth intensive? They’re service video streams served over
HTTP.

~~~
cheez
Oh so then I'm pretty sure they use http to reduce CPU load.

------
bullen
HTTPS is bad:

\- It wastes resources.

\- It adds complexity.

\- You can solve everything HTTPS solves over HTTP!

\- It encourages passive destructive behavior.

\- Troy Hunt probably has money coming in from certificates somehow.

HTTP/2 and HTTP/3 are also bad.

WebSockets are bad.

As a side note:

Vulkan is bad.

HDMI is bad.

Wakeup people. Time to get off that over-engineering couch and downvote the
guy telling the truth again!

~~~
pmlnr
So... you are both correct and not, which is probably why you're getting
downvoted.

Is much of the current tech overengineered? Yes, it definitely is.

HTTPS on it's own - having TLS and a certificate - is not. It never was. But
with stapling, CORS, X-XSS, and the rest, it becomes a beast. Those are
becoming requirements, and they are making things _very_ complicated.

I hear you, and I tend to agree on many things. Serial ports were gloriously
simple whereas USB3 is a nightmare on every level. VGA was beautiful in it's
simplicity, HDMI 1.4 with Ethernet included is certainly too much.

mta-sts is probably the worst idea that could have been added to email, by
relying on HTTPS requests.

My personal take on this: use all of them responsibly. Use HTTPS, but don't
make it exclusive, let the user make the choice: keep HTTP as well. Leave
CORS, STS, Referrer Policy, etc out.

~~~
bullen
You are the first person in the world who has a dialogue with me about this.
Thank you!

Here are a bunch of solutions I use instead of complexity:

I hash with one time server generated salt for login:

[http://talk.binarytask.com](http://talk.binarytask.com)

I use Comet-Stream for real-time communication over HTTP:

[http://fuse.rupy.se](http://fuse.rupy.se)

And my latest finding is DPI for video:

[http://talk.binarytask.com/task?id=2433316338364993026](http://talk.binarytask.com/task?id=2433316338364993026)

------
dang
Discussed at the time:
[https://news.ycombinator.com/item?id=17857975](https://news.ycombinator.com/item?id=17857975)

------
pmlnr
Yes, add HTTPS, but keep the option for mere HTTP, because backwards
compatibility is good.

Many parts of the world can't deal with TLS1.3 HTTP/2 websites only.

~~~
acdha
It's not “many parts” but a fraction of people with older browsers (mostly IE,
Android). The global figures shown on Can I Use are pretty close to what I see
on an international web property as well — ~80%:

[https://caniuse.com/#feat=tls1-3](https://caniuse.com/#feat=tls1-3)

That may or may not be a fraction of traffic you care about depending on your
visitor profiles and security posture but it's not really accurate to say
“many parts of the world”.

------
known
To prevent [https://en.wikipedia.org/wiki/Man-in-the-
middle_attack](https://en.wikipedia.org/wiki/Man-in-the-middle_attack)

------
dvfjsdhgfv
There are almost no arguments given, but all the other ones are nicely
rebutted on n-gate:

[http://webcache.googleusercontent.com/search?q=cache:hV6m26a...](http://webcache.googleusercontent.com/search?q=cache:hV6m26a8hrAJ:n-gate.com/software/2017/)

------
jstewartmobile
Without HTTPS, Russians could MITM my knitting blog any minute now!

Indefinitely babysitting letsencrypt is a small price to pay to keep those
grannies safe!

~~~
iso947
A cronjob does the job just fine - far less babysitting than keeping your OS
uptodate with security patches (ok that’s another cronjob if you’re happy with
auto reboots on occasion)

~~~
jstewartmobile
Everything in awful awful IT requires babysitting--even cron jobs.

~~~
iso947
If you’re running your own server you need to be babysitting it, extra
babysitting for your https cert is negligible

~~~
jstewartmobile
Let me guess... IT guy?

------
superkuh
The problem with these calls for HTTPS is that those doing it believe http and
https are mutually exclusive. They completly turn off human navigable
webservers and leave only the machine navigable ones online. It makes the web
only accessible to computer software written in the last 5 years.

There are plenty, I'd say most, websites which do _not_ need HTTPS. And my
static website does not _need_ https. It's nice, sure, but it's a personal
website and there's no money or personal information involved. Leaving an HTTP
version going alongside the HTTPS and Tor hidden service is just fine.

The greater evil is having people run third party code by default on every
website from every random domain that's called. Now that's insecure. It's like
opening every email attachment you get. Every single "danger" of HTTP he lists
is actually a danger of running third party code blindly and automatically.

~~~
djsumdog
Do you want ISPs to inject random crap at the top of your website? Because
that's how you get ISPs to inject random crap at the top of your website.

I remember getting a Vodaphone sim card (I think it was in Belgium or The
Netherlands) and seeing their banner displayed on MY WEBSITE! It wasn't in a
language I know, and it might have just been a bandwidth warning or something
to indicate I need to reload, but it was still on my website, injected right
in there.

HTTP is needed for static sites, if you want to ensure your readers see the
exact same site that you made.

~~~
arm64future
>Do you want ISPs to inject random crap at the top of your website?

If your ISP does this, or if you are on a sketchy network somewhere, then
maybe you should not use it at all. Get a new ISP, or use a VPN if you are
that worried. If the webmaster is not sharing sensitive information on his
casually maintained static website, then that is good enough reason not to use
HTTPS. I know it sounds... uncaring.

It is true ordinary people, who don't understand the risks could get MITM'd
and never suspect a thing. For some reason I still don't care enough to put
HTTPS on my shitty old flash game website. I just can't be bothered. I think
that is good enough of a reason. Blame should go on the ISP who are MITM'ing
their customers.

~~~
rahuldottech
Sure, but when the biggest (or only) ISPs in many countries are doing it, and
you can prevent it by taking out 15 minutes to set up Let's Encrypt, that's on
you.

~~~
arm64future
Nope. They can get a VPN, or fight against their big ISP or government to stop
such dubious practices. Your point of view seems to come from a standpoint of
infantilization of these users.

~~~
rahuldottech
You expect that from the vast majority of the population which is not tech-
savvy?

~~~
wolco
I expect the vast majority to complain if their internet provider is putting
ads into website. The bigger the company the bigger the group.

