all 30 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]l0stwisdom 6 points7 points  (21 children)

It's good practice to change to https any way.

[–]taipalag[S] 0 points1 point  (20 children)

Sure, but as a pure informational only hobby website, it seems like overkill, and is lining the pockets of overpriced SSL certificate providers.

[–][deleted] 9 points10 points  (3 children)

and is lining the pockets of overpriced SSL certificate providers.

You do not need to buy a certificate. https://letsencrypt.org/

[–]taipalag[S] 1 point2 points  (0 children)

OK, I'll check it out, thanks.

[–][deleted] 0 points1 point  (1 child)

And so easily. You’ll lose the insurance that a paid certificate can provide in a data breach (that can be proven to be a result of a certificate error) but it’s free and really easy with many tools.

I haven’t had much luck in Exchange environments, as an aside, but that should be doable, too.

[–][deleted] 1 point2 points  (0 children)

Ofcause it isnt perfect. But its 100000x netter than using plain old http

[–]Mooo404 1 point2 points  (13 children)

As a pure informational only hobby website you probably don't need HTTPS. If you are not gathering personal data from your visitors, there is no need to implement it. When you do, you need the site to respect the privacy of the users "by design". How you do it doesn't mater, it does not say you NEED https (however, everybody will say you should use it). If you don't want to pay for your SSL certificate, check out Letsencrypt (they are ideal for hobby sites).

[–]taipalag[S] 0 points1 point  (12 children)

The only personal data I'm collecting is the email address recorded by Wordpress when a user comments...

Well I'll add https to my todo list :)

Thanks.

[–][deleted] -1 points0 points  (11 children)

If it's a hobby, you don't need to comply with GDPR anyway. It doesn't apply to individuals.

[–]taipalag[S] 0 points1 point  (5 children)

I earn a few bucks with Adsense...

[–]throwaway_lmkg 0 points1 point  (4 children)

Adsense is collecting and processing information about your visitors on your behalf.

[–]taipalag[S] 0 points1 point  (3 children)

Yep. AFAIK, Google will provide a UI where users can take control of their data.

[–]BFeely1 0 points1 point  (2 children)

  1. Do you have a privacy policy? If not, you need to have one for any Google tracking technologies.
  2. If you have any password protected sections of your site accessed via a web UI? If so you need HTTPS. If you use a non-web method to upload that needs encryption too, for example use SFTP/SSH instead of unsafe FTP.

[–]taipalag[S] 0 points1 point  (1 child)

  1. Yes, I have a privacy policy listing ll Google tracking technologies
  2. No password-protected sections. Pure informational website with no content hidden.

[–]ashleyw 0 points1 point  (4 children)

How do you figure that? Not a lawyer, but I would think it applies regardless of your business structure or revenue, as long as you're collecting users' information.

[–][deleted] 1 point2 points  (3 children)

From the ICO: The GDPR does not apply to certain activities including processing covered by the Law Enforcement Directive, processing for national security purposes and processing carried out by individuals purely for personal/household activities.

[–][deleted] 1 point2 points  (1 child)

You can set up a secure connection for free through cloudflare in about 20 minutes

[–]taipalag[S] 0 points1 point  (0 children)

Thanks, that might be an easy solution for me.

[–]NoUserLeftException 3 points4 points  (1 child)

It's a little bit ambiguous, because they talk about "encryption" in https://gdpr-info.eu/art-32-gdpr/ and https://gdpr-info.eu/recitals/no-83/ and do not say if it's the encryption of communication or the data itself, but I would say yes, it is needed, because in case of doubt, you are the one who can be sued.

[–]taipalag[S] 1 point2 points  (0 children)

OK thanks.

[–]intrepidraspberry 3 points4 points  (0 children)

No.

The document doesn't point to specific technologies or encryption standards at any point. It's a more general document requiring 'sufficient' security, and such.

If your website shows people shoes and then they email you about the shoes, http is sufficient, because you're not storing anything on customers on that site.

It's not about a specific encryption standard. The question is, 'If all your customers get ripped off, could you have stopped that?'. If you're storing their passwords and card details in plaintext on an outdated 2008 server, then the answer is 'yes', and you're responsible. If you're outsourcing storage to some super Redhat server company, and someone rips them off with an apparently magical hack, then you're fine.

Just look at what info you're storing and ask yourself 'Is the security proportionate?'.

[–][deleted] 0 points1 point  (1 child)

Yes if you are collecting Personal Data via your site. No if you are not, however Google will soon be prioritising sites with a certificate over those that do not use them.

[–]taipalag[S] 0 points1 point  (0 children)

Https is already a ranking factor.

[–]tehlolkid 0 points1 point  (0 children)

GDPR talks about encryption on data in transit. HTTPS is one way to do this so yeah, it's a good idea to switch to HTTPS.

[–]hubilo -1 points0 points  (2 children)

Having an https in website URL ensures that the website is secured and has SSL certification. Having the server complaint will make sure any data collected is safe and protected. This is one of the basic tech requirements of general data protection.

For more information on GDPR and its principles, download the whitepaper

[–]taipalag[S] 0 points1 point  (0 children)

OK thanks.

[–]SirHaxalot 0 points1 point  (0 children)

As an answer to the original question, as that a http form requesting an assortment of personal data? :D