There are good explanations and advice here:
And Apple is adamant about developers including HTTPS on their apps;
Another good explanation here:
3 Likes
No, it’s worse than this, and you should probably never visit a non-encrypted web site. While sensitive data flowing from the user’s browser to the web site is definitely a concern, remember that it’s a two way street. The web site is sending data back to the user’s browser, and if it’s not encrypted, it can not only be intercepted along the way (so any sensitive data the web site embeds in the page can be captured), but potentially modified. Images can be replaced, text modified to give misleading or incorrect information, URLs modified to either track the user or to direct them to a phishing site, etc.
5 Likes
I have found that sometimes when I end up on a non-encrypted (http) site I can edit the URL address by changing ‘http’ to ‘https’ and it works. Some web sites have both versions running and you just need to tell your browser to move to the https version. The ‘HTTPS Everywhere’ extension for Firefox (and browsers other than Safari) will do this automatically for you. I highly recommend it.
Well, as far as https, I still do a couple three websites for free and the SSL certificate my hosting provider offers is around $100 a year which my clients (well friends really) think is high. They are not e-commerce sites and have simple contact forms that require no personal info. I have seen yearly costs for a certificate range from less than $10 to many hundreds. And the security offered (encryption strength) seems to vary, too. So just seeing an https url isn’t a perfect guarantee!
Another thing having a https certificate gives the website owner is liability insurance for data theft, and of course the level of coverage varies with the price too!
If it’s a certificate from an agency that is trying to provide a digital identity (e.g. prove who owns the site, not just validate the domain), then $100/yr may be reasonable.
If, however, it is a certificate that only validates your domain name and encrypts content (e.g. the kind you get from Let’s Encrypt), then that’s massively overpriced. Since Let’s Encrypt is a free service, support for or something else with similar capabilities it should be very inexpensive, if not free.
1 Like
The hosting company for three Websites that I run apparently does not offer support for Let’s Encrypt, and the encryption service that it does offer would cost me $66/year for each of the three. Since all of them are effectively read-only and public service, adding encryption would nor provide any benefit to me or to my readers. Furthermore, it would make these Websites effectively unavailable to folks who are living with old machines, because old Web browsers will throw up misleading security alerts when the real problem is that their some of their own certificates are obsolete. For that very reason, there are up-to-date Websites that I cannot access from my old machines–only from my newer ones. (I have five machines of various vintages, from MacOS 8.1 up to Monterey.) While it’s theoretically possible to import additional certificates, I’ve never found it sufficiently important to take the time to investigate where such certificates could safely be found.
Free Let’s Encrypt certificates should be automatic for any shared hosting provider, I would find another host rather than pay for certificates.
Even when the information is not critical or private, having encryption on a site is reassuring and the norm. It also prevents a man-in-the-middle attack from inserting malicious content in the pages as they’re delivered (including things like ISPs inserting ads).
The vast majority of users are using an OS/browser that works with Let’s Encrypt certificates after their change last year. For users using iOS before v10 or macOS before Sierra (10.12.1, and haven’t manually installed the current certificate or switched to using Firefox), rather than pay for a more compatible certificate for such content, I would leave HTTP active instead of redirecting all requests to the HTTPS equivalent.
To permit really old browsers to connect, you need an unencrypted version anyway because they don’t support more modern, secure TLS protocols or ciphers. A shared hosting provider might configure the server to use the oldest, most compatible (and least secure) settings to avoid complaints but it still wouldn’t be compatible with an OS/browser from 20+ years ago.
2 Likes
Here it is: https://letsencrypt.org/certs/isrgrootx1.pem
It’s easy to add on a Mac, download the certificate, double-click it, accept the prompts, type in your password, done. The steps are about the same if you click the link on an iOS device.
From last year: Root security certificate expiring September 30 affecting El Capitan and older
2 Likes
Also, Google has been threatening to not index http sites for quite a while, and is possibly downgrading their position in results right now.
I think not indexing unencrypted sites is unlikely.
I don’t think lack of encryption is affecting a site’s position in search results yet but I could see it happening. This recent article is not high quality (it repeatedly fails to include the “S” in “HTTPS”) but it quotes a John Mueller, Webmaster Trends Analyst at Google, who says it’s a good idea to replace HTTP links with HTTPS ones but not for search algorithm reasons. Google: “Always Try” To Replace HTTP Links With HTTPS, makes a meal out of a very brief comment.
That’s probably true now–a search result that is the top hit on DuckDuckGo appears near the bottom of the second page on Google. But since I’m not selling anything, nor trying to persuade folks of something, that’s not a problem for me.
Thanks, Curtis. That worked on Firefox 37, though I had to add a security exception to get to letsencrypt.org in the first place, and then it wasn’t a “download & double-click,” as Firefox recognized that it was an incoming certificate. Of course FF37 is too old to handle a lot of modern Websites properly, but that’s a different problem.
Unlike most browsers, Firefox doesn’t use the Mac’s root certificate store, it includes its own, so the steps are different.
Any Mac that can run Firefox 37 can run Firefox 47 (installer, OS X 10.6 or newer). Firefox 78 runs on 10.9 or newer (installer), the last ESR release was from less than a year ago. Using 47 instead of 37 means means having support for a number of JavaScript language features that are likely to be used on more modern sites. Using 78 means having CSS Grid support, an important feature for creating page layouts. Web feature comparison of all three versions.
Because this thread is about encryption, I’ll point out running 47 means having support for more ciphers and running 78 means having support for TLS 1.3, the latest version.
TenFourFox ceased work last year but the last release was based on Firefox 45 but with some features and security updates back ported from Firefox 78; it runs on PowerPC Macs with OS X 10.4 or 10.5 (installer). I don’t really keep track of other browser forks that might work on older systems but have more modern web features.
3 Likes
It has been nearly a year since this thread was started but there is a lot of information relevant to my issue…
I have created dozens of web pages over the years with links to news and research relevant to a wide range of topics, but mainly vehicle safety and astronomy. None of these have data entry forms and I have never seen the need for the expense and effort (i.e. updating numerous links) to move to “secure” https webpages with SSL certificates.
However I have noticed that several of my webpages that were once easy to find with Google/Duckduckgo are no longer listed. I realise that, these days, search engines are swamped with URLs but I am wondering if they are avoiding listing web pages without SSL certificates, as discussed above.
The other issue is that web browsers now tend to warn users that a web page is “not secure” and this might put people off viewing them.
As it should, and that’s not bad in the grand scheme of things. It’s an iffy proposition from a security standpoint to ignore what’s now baseline security by not deprecating http and offering web sites with https.
1 Like
Not addressing your question exactly, but I would be glad to visit your astronomy links. Currently excruciating over whether astronomy is just “one too many expensive interests with steep learning curves”… or whether I wouldn’t be better off using a Windows machine for it.
Not an answer to your question, but this part puzzled me. I’ve moved a few websites to SSL in recent years (ones that are at least as big if not bigger than what you describe). There shouldn’t be any cost. Any good host should provide SSL certificates for free, and you can use ‘Let’s Encrypt’ yourself if not. And you don’t need to manually update http to https – you simply configure your web server to redirect all http requests to https. It’s a quick and relatively simple change.
I have no direct knowledge, but I think it’s highly likely http sites will struggle to show in the top results these days. Apparently Google started preferring https sites as far back as 2014, so given the wide adoption recently it wouldn’t be surprising if they’ve stepped that up.
2 Likes
Astronomy - start here:
Thank you for the tips from other respondents - I will look at my options.
Please keep doing what you do. You are adding so much to this board and our overall intelligence in general.
I had to look up the identification of Venus as the hugely bright “star” in my (directly) west sky last night. I should have just known this.
My thanks!!–and good luck, high security, and low cost.
1 Like
I have a http site that got quite high on Google just last year. This is a website I maintain for myself and some friends. It did better than the site it gets its data from on some searches, which is not what I intended, so I had to stop Google from crawling it.
If you do this search on Google site:www.vdrsyd.com you will see that Google is still crawling your site. So it can be several things that are pushing your rating down. Instead of guessing try Google Search Console
2 Likes