Not OP, but I don’t have certificate on my personal web site either, and I don’t think I need one.
> find it really hard to really trust if that's your contact information
Because Google implemented warning in their web browser, and you comply without understanding their reasons?
SSL is most useful for credit cards processing.
SSL makes some sense for e-mails and chat messages, also for authentication.
SSL is useless for static content.
I think Google did that for money, just sold the security story really well. They’re smart people, they can’t possibly be unaware of certificates being useless for majority of the web. Here’s the reasons.
Increases entry barrier, centralizing internet even more. For-profit internet companies have zero issues paying for certificates, it’s part of their business. It raises barrier for ordinary people. Also creates more incentive for placing ads on their web sites to reduce costs. Guess who earns most profits from internet ads?
Also, SSL breaks caching proxies by design. This opens market for technically inferior google AMP. Technically inferior, because proxies are closer to users, 20 years ago most office buildings had a caching proxy like Squid or MS ISA Server.
Also, there’s unintended consequence, users learning to ignore SSL errors and proceed anyway. People processing credit cards usually know what they do, take security seriously and SSL errors there often means what it’s supposed to mean, warns about potential hacks. People implementing SSL just to shut up the google browser don’t need security, they care much less and screw up much more often.
This is just... false. Without SSL, static content can be MITM'd just like anything else. Don't believe me? Connect to the WiFi in any Starbucks and visit http://example.com. That redirect to the Starbucks WiFi login page certainly isn't being served from example.com...
Need to cross national borders for that, more than once.
> That redirect to the Starbucks WiFi login page certainly isn't being served from example.com
Also saw these things here in a couple of places. Most places here don’t charge for WiFi and have a single PSK key for all clients, but couple indeed ask for authentication this way.
I’m not sure how SSL helps? As a user, I don’t want to have access to WiFi blocked, I rather prefer redirects. Despite it’s technically MITM, it does the job i.e. allows to access the network.
> stop spreading misinformation about SSL
I have written that unless it’s credit card numbers or other sensitive content like e-mails or facebook messages, there’s very little security value in it, and it costs web sites owners. What exactly do you think is the misinformation in this statement?
If your site is vulnerable to a MITM attack you are not protecting your users and someone can serve them anything. The security risk isn't people reading your blog in flight, it is people injecting your blog with malicious scripts that can compromise your users.
Would you be happy if when I visited your website I was asked for my credit card details through a phishing scam? Not secure for me, not a good look for your site.
ISPs know IP addresses anyway, even with HTTPS. Same with DNS names.
SSL makes a lot of sense on web sites like facebook and youtube: users enter sensitive data there, servers serve terabytes of available content, not all of which is public, and even for public, the user’s selection is privacy-sensitive.
For a small static web sites, any person in the world can get their hands on all the content, that’s the whole point of public Internet. There’s no privacy-sensitive data in HTTP traffic to these sites, unless there’s google analytics, ads, or some other malware on that site.
Say you trust mrb on hackernews. He lists his website on his profile page. You go to that site. How do you know you are seeing what mrb wants you to see (his contact info). SSL.
> Increases entry barrier, centralizing internet even more. For-profit internet companies have zero issues paying for certificates, it’s part of their business. It raises barrier for ordinary people. Also creates more incentive for placing ads on their web sites to reduce costs. Guess who earns most profits from internet ads?
Lets encrypt is one obvious thing to mention here, besides removing the cost barrier to entry it really is quite simple to set up.
I haven’t tried but I think it’s only simple is you’re willing to manually renew every 90 days. I’m not willing to.
Automatic renewals are only simple for popular environments like LAMP, my web server runs Windows server with IIS and old school asp.net. I can run arbitrary native code on that server, but I don’t have GUI access to that machine.
But even if it would be super-easy and automated for 100% web servers, that’s still introducing a dependency to a third-party service, for no value for audience of my web site.
Just shutting up a web browser that I don’t even use myself is not a good reason, IMO.
Lots of commenters have raised good points and pointed you to instructive resources on the subject, and you've quite selectively ignored the best ones. Please take a moment and withhold the assumption that we've all been brainwashed by Google, and consider that other people might know something you don't.
No it ain't. The cert is at least some assurance that the static content was not altered in transit between the original server and some MITM. Non-HTTPS sites absolutely suck to browse on less-scrupulous public wi-fi hotspots that try to inject their own ads into your browsing sessions (cough cough Greyhound cough cough).
> It raises barrier for ordinary people
Let's Encrypt has existed for multiple years now. There's certainly an effort-related barrier to entry, but not a financial one.
> 20 years ago most office buildings had a caching proxy like Squid or MS ISA Server.
And they can still have that by setting up their own internal CA and installing their own root cert on company-owned machines. Hell, running an internal CA is pretty standard practice for large enterprises (and even some medium ones) specifically so that Intranet applications can use TLS without browsers whining about self-signed certs.
> find it really hard to really trust if that's your contact information
Because Google implemented warning in their web browser, and you comply without understanding their reasons?
SSL is most useful for credit cards processing.
SSL makes some sense for e-mails and chat messages, also for authentication.
SSL is useless for static content.
I think Google did that for money, just sold the security story really well. They’re smart people, they can’t possibly be unaware of certificates being useless for majority of the web. Here’s the reasons.
Increases entry barrier, centralizing internet even more. For-profit internet companies have zero issues paying for certificates, it’s part of their business. It raises barrier for ordinary people. Also creates more incentive for placing ads on their web sites to reduce costs. Guess who earns most profits from internet ads?
Also, SSL breaks caching proxies by design. This opens market for technically inferior google AMP. Technically inferior, because proxies are closer to users, 20 years ago most office buildings had a caching proxy like Squid or MS ISA Server.
Also, there’s unintended consequence, users learning to ignore SSL errors and proceed anyway. People processing credit cards usually know what they do, take security seriously and SSL errors there often means what it’s supposed to mean, warns about potential hacks. People implementing SSL just to shut up the google browser don’t need security, they care much less and screw up much more often.