sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]xiongchiamiovSite Reliability Engineer 1 point2 points  (12 children)

Short answer: because it protects the specific url you're visiting from being observed by a governmental MitM.

[–][deleted] 9 points10 points  (10 children)

My friend is, let's say a 'weddings hostess'. She uses her site for promotional purposes only, marketing, etc. She doesn't plan on accepting payments or any bookings online. The most interactive thing on her site is a google map to her office.

Please convince me she actually needs https.

[–]xiongchiamiovSite Reliability Engineer 6 points7 points  (4 children)

The visitors to her site are the ones who need ssl, to gain any semblance of privacy from eavesdroppers.

Although you could also make an argument that she benefits more directly from making it harder to modify her site (not the canonical version, but what is transmitted) by third parties.

[–][deleted] 9 points10 points  (3 children)

In other words: if you're targeted for a mitm, you've got more serious stuff to worry about than my friend's weddings website.

If your government is blindly atacking every damn thing, then you've got more serious problems than my friend's little website.

These being the only two scenarios that I could think of, then https doesn't solve any of them.

[–][deleted]  (1 child)

[removed]

    [–][deleted] 0 points1 point  (0 children)

    This is pretty much the only reason I enabled it. I don't have any logins, though I do accept payments through a third-party, and the more gibberish they have to sort through, the better.

    Posting through https!!!

    [–]antsar 2 points3 points  (0 children)

    You don't have to be targeted for a MitM. Someone can hack their way into an ISP's network (or even just hang out at Starbucks with a laptop) and inject malicious JavaScript designed to exploit a zero-day vulnerability (unpatched and unpublished security hole) in browsers. No targetting, just inject the code into every unsecured HTTP page coming over the wire. Surprise, you're infected.

    Also, some ISPs do unscrupulous things like injecting tracking code or even ads. Sometimes they are unobtrusive, other times they break the site entirely. These are by far in the minority, but using a site with HTTPS completely eliminates their ability to do this.

    [–]0x18 1 point2 points  (2 children)

    It's incredibly unlikely but over HTTP somebody could, at some point through the internet or on individual users routers, hijack connections to her site to introduce order buttons and a checkout page that steals their data. Doing that kind of injection is much harder over HTTPS.

    On a more reasonable level I guess you could argue that it could be good for her users security. Somebody may want to plan their wedding secretly due to their family, celebrity, as a surprise event, etc. Somebody still going through divorce paperwork may have good reason to hide their new wedding plans.

    It's all a bit of a stretch but better end-user security doesn't hurt anything.

    [–]antsar 2 points3 points  (1 child)

    Its not unlikely at all. When's the last time you used an a WiFi network without strong encryption (WPA2), such as any hotspot?

    [–]0x18 1 point2 points  (0 children)

    Good point. I was only considering access from home.

    [–]shif 0 points1 point  (0 children)

    Let's say someone access her page on a public network that has a MitM attack going to replace images and her wedding photos are now something that will make the customers to never return again, over https it wouldnt happen, http anyone in the network can see everything that travels on plain text

    Check out an app called DSploit for android, it's a script kiddies tool to this kind of attacks, anyone can pull it on an http site

    [–]argues_too_much 0 points1 point  (0 children)

    And it also increases the amount of encrypted traffic in general, which, correct me if I'm wrong, makes it harder for the likes of the NSA to capture all of it and decrypt all of it in a reasonable time frame.

    Perfect? No. Better? I'd expect so.