This post is kinda the afterwards of my "Your website sucks!" post (you can read it https://blog.jaekr.dev/index.php?post/2019/10/03/Your-website-sucks%21 ).
Recently, I had a conversation with a guy who pretended to be a good admin. He currently owns a forum, running with PHPbb and a Minecraft game server.
I played on this server for the last five years (or more) and I noticed that the website had no HTTPS (which is such an heresy with me).
So I got on his IRC, sent a direct message and tried to have a clear response.
The conversation went a little like this:
- Me: Hey, I noticed that your website is still in HTTP instead of HTTPS, can you consider adding HTTPS since you have people connecting to the forum and using -maybe- a password they use everywhere?
- Him: No, I don't need HTTPS, I use Google's Recaptcha and I think they are secure so I have no problems.
- Me: Yes, they are secure but you are not, event if Google have good security, passwords on YOUR website can still be exposed to attackers. Check this website https://doesmysiteneedhttps.com/
- Him: No, I'm good, who is gonna attack my website anyway?
- Me: I don't know but it's better to be prepared for everything.
- Him: Yeah, yeah, whatever, to be honest, I think that "insecure websites" are just browsers freaking out with no real reason.
- Me: You aren't serious aren't you?
- Him: What?
- Me: Then delete my account please.
- Him: I think you have an anger problem.
- Me: I think you have brain problems. Delete my account!
- Him: lol
- Me: -disconnects-
As you can see, even in 2019, people still can't see the security issues of HTTP and won't get HTTPS (which is free and easy to install and even included in some web servers) because "I don't need security, other already have".
Saying this is like if your neighbor have a reinforced door and you say "I don't need a door, my neighbor already have a sufficient protection."
The thing is: if one day, some burglar comes in, it will not focus on your neighbor's door but to yours. Why break security when there is none just right aside.
To sum up, please, secure your website with HTTPS, you can only benefit from it and some people still don't understand it at this day.
If you have a friend, a co-worker or simply you have a website that does not use HTTPS, please tell him/her/you to install it. It is free and easy to install, check https://letsencrypt.org/ for more information.
Please, do this for everyone, for you, for your users, please contribute to a safer internet.
If you are a regular user and see a website that does not use HTTPS, you can try to contact the owner of the website and ask him (nicely) to install it, you can send https://doesmysiteneedhttps.com/ if he asks for informations. If the owner refuses, try to stay as far as possible from the website.
Well, I'll see you again next time.