

HTTPS is one of the least important things you can do to secure your site - daviddede
http://dcid.me/notes/2014-oct-26

======
bradleyland
How is this considered even remotely good advice? I agree that you should
definitely do all of the other things advocated by the author, but why _not_
use HTTPS everywhere? Because of the risk of engendering a false belief that
your site is secure?

This is a rant based on a flawed principle; that if you can't do it all, don't
do any of it. If you don't use HTTPS, you will open yourself to _many_
additional attack vectors. Why would any security professional give this
advice? It makes no sense at all.

