[Kiro]

I don't understand why I need to use https on a static marketing webpage. No login stuff, no JavaScript, nothing. Just straight up HTML and CSS. Right now I need to pay about $150 every year for something that's only used to satisfy Google PageRank (I can't use LetsEncrypt with my hosting provider). Why?

[eganist]

Keeping it extremely high level:

Among other reasons, not encrypting traffic gives an opportunity for bad actors to replace content in transit to your end users when your end users are on compromised connections, such as rogue "free" wifi networks in airports or coffee shops, or even legitimate networks which have in some way been compromised, e.g. the ISPs of the world who decide to inject other content e.g. their own ads into unencrypted traffic.

The next question is usually "what could they possibly do, change a few pictures?"

They could inject malicious payloads, and for all your users would know, it would appear to them that it came from your site.

> I can't use LetsEncrypt with my hosting provider

Consider switching. For a static site, consider Gitlab; they do a good job of permitting LetsEncrypt.

---

I sincerely appreciate the question, though. I have marketing people ask me this question all the time in private who hesitate to do so in public because quite a few security types berate them for not doing something "obviously" more secure. It's not at all obvious to most of the world's web designers and content creators that a static site should be TLS'd until it's framed (heh) in this manner. The fact that you asked brings about a massive educational moment.

Anyway, consider switching hosts. :)

[cmdrfred]

May I add an example. Let's say you are a drug company and you offer a number of different drugs. With TLS I only know that you are interested in a drug that company produces or the company itself, without it I know you or someone you care about has erectile dysfunction.

[spand]

No that is not all an attacker could know. TLS does not provide confidentiality of the number of bytes transmitted. So in your example an attacker would only have to crawl the public website and find the pages matching in size to the ones you have been browsing.

[mi100hael]

There are web server modules that will append random-length comments to the end of a page's HTML in order to foil this kind of attack

https://github.com/nulab/nginx-length-hiding-filter-module

[paulddraper]

Cookies, user-agent header, and keep-alives will make that very hard to figure out.

[rplst8]

Couldn't this be thwarted by injecting random bytes into each page served to vary the file sizes?

[cmdrfred]

Good point I hadn't considered that.

[libeclipse]

Using netlify with ghpages is extremely fast because of their CDN, A+ on ssl labs, and free.

[cat199]

Has google disclosed all investments in CA providers?

don't know the answer myself here.. there are good technical reasons, I agree..

but it is a logical fact that if google search was always 100%, there would be no need for adwords and site ads...

[pfg]

Google is a platinum sponsor for Let's Encrypt, which is slowly taking away market share from almost all commercial CAs[1]. They've also removed special treatment for EV certificates on mobile browsers (and are regularly thinking out loud about doing the same for their desktop browser), taking away most of the incentive for using a commercial CA (and not a free DV CA like Let's Encrypt). There's probably also a good chance that they'll offer something like Amazon's ACM (free certificates for various AWS services) as part of their Google Cloud offerings with their newly-acquired roots[2].

I think we can safely say that this would be a very weird way to go about earning a few bucks through CA investments.

[1]: https://w3techs.com/technologies/history_overview/ssl_certif...

[2]: http://pki.goog/

[riobard]

Here's why: Many ISPs hijack HTTP connections and inject ads and tracking JS into the page. If you don't use HTTPS, your page is screwed.

The Internet is not a safe place. We should aim for HTTPS EVERYWHERE.

[RadioactiveMan]

This is a really good point. Usually we talk about protecting against a third party, but the far more ordinary use case is protecting against the adversary right on the other side of your router.

[JimDabell]

Also transcoding images to be terrible quality. If you care about your images not looking like crap, you should serve them over HTTPS.

[snug]

> Many ISPs

I think that's a bit sensationalist.

[STRML]

Verizon, Comcast, and Rogers have done it, that we know of. In North America that's a very large proportion of traffic.

[ucho]

Maybe it is even worse when it is just few - people won't know that website creator isn't responsible for all of its content. And sometimes is hard to know who is the culprit like in https://news.ycombinator.com/item?id=12091900 .

Is there any solution other than totally killing HTTP that protects from HTTPS stripping attacks? HSTS won't protect first visit and STS preload lists can only be so large.

[mrkurt]

It's not, it happens at a ton of coffee shops, on airplanes, etc, etc. Probably not ISPs you buy home internet from, but there are a lot.

[afandian]

Vodafone in the UK did this to me.

[chatmasta]

Vodafone is the worst. Although it's really the U.K. surveillance state that is the problem.

When I popped my SIM into my iPhone it forced me to download a configuration profile with a self-signed Vodafone cert, which means they can mitm any connection. I think this is required by the government so they can block adult websites by default? (I've also seen torrent websites also fail silently with misleading "server not found" errors)

I haven't looked into if they're doing the filtering via DNS or mitm, but I avoid the censorship by connecting to a vpn.

[Symbiote]

I have never heard of the self-signed certificate, that would be interesting to report to the Open Rights Group [1]

The filtering in the UK is by inspecting HTTP requests, so when a single image on wikipedia.org was blocked, every request to Wikipedia ended up going through each ISPs hidden proxy. [3]

According to [2], HTTPS sites aren't filtered -- but it references a page from 2004. I suspect HTTPS sites are now simply blocked outright at either DNS or IP level, but I don't have a way to verify this, and can't find any details.

[1] https://wiki.openrightsgroup.org/wiki/Internet_censorship

[3] https://en.wikipedia.org/wiki/Child_abuse_image_content_list...

[2] https://wiki.openrightsgroup.org/wiki/Cleanfeed#cite_note-LI...

[chatmasta]

Here are some screenshots of the text I got and the profile I had to install.

Correct me if I'm wrong but I'm pretty sure this enables complete MITM by Vodafone when using cellular network.

http://imgur.com/b0il5xb http://imgur.com/3mw5ZGZ http://imgur.com/6ehhfuZ

[JimDabell]

I don't know why Vodaphone are doing that, but you shouldn't go around telling people that it's because of "the U.K. surveillance state" because other UK ISPs don't do that.

The "server not found" errors sound like DNS blocking, which they can do without MITM.

[Nullabillity]

Yeah, why are you using a bad hosting provider?

[djsumdog]

When I was in the EU, I saw both Vodaphone and Three inject banners on the top of websites in various countries.

They're not as easy to get away from as you think.

[Kiro]

Legacy and one of the only hosting providers in my country. I don't want to risk worse localized SEO by hosting it outside.

[RossM]

I've been reading up on localisation SEO lately - as far as I understand, Google only uses "server IP is located in X country" as an indicator of where a site might be localised for, if it can't get any better information.

For example, if you're using a ccTLD for the domain, or if it's a generic-TLD and you declare a country in Google Webmaster Tools, that will be a much stronger weighting.

Of course, if that's wrong I'd love to know!

[Kiro]

Thank you. The actual web app is hosted on Linode in Frankfurt (using LetsEncrypt for https) so maybe I should host the marketing page there as well if that's true.

[mrkurt]

Most of the answers you're getting aren't all that big of deal for your site. You still might want https though.

You should think about https for sites like yours the way you think about vaccines. SSL everywhere makes everyone safer, even though it doesn't have a tremendous impact on your own site.

Also, shameless plug, if you want really easy SSL you can use our new startup: https://fly.io. I'm not sure what country you're in, but we have a bunch of servers all over to help make it fast. :)

[deallocator]

But of nitpicking, but on mobile the balloon is cut off a bit at the top :)

[mrkurt]

Huh. Which device/browser? It's such a pretty balloon, I'd hate to lose a piece of it.

You can email me if you want to avoid cluttering HN: mrkurt at gmail.

[ReverseCold]

500

[mrkurt]

Well that's embarrassing. :/

[Gurrewe]

If you have a marketing webpage, you might have a link to signup or login pages. If you can hijack the index page you'll also be able to hijack the links.

[mikeash]

Even if you don't have signup or login pages, a MITM attacker can add them. Or they could add a "buy now!" link with a convenient entry form for the user's bank details. The relevant question isn't what your page has that's so important, but rather what an attacker could make it have that would cause trouble.

[rocqua]

2 reasons. The first is practical: integrity. Https guarantees the site your visitors see is the site you sent them.

The second is more moral. Making https the default means more and more of the web will be encrypted and authenticated. This is a good thing.

[dalore]

Why use ssh over telnet?