[eganist]

Keeping it extremely high level:

Among other reasons, not encrypting traffic gives an opportunity for bad actors to replace content in transit to your end users when your end users are on compromised connections, such as rogue "free" wifi networks in airports or coffee shops, or even legitimate networks which have in some way been compromised, e.g. the ISPs of the world who decide to inject other content e.g. their own ads into unencrypted traffic.

The next question is usually "what could they possibly do, change a few pictures?"

They could inject malicious payloads, and for all your users would know, it would appear to them that it came from your site.

> I can't use LetsEncrypt with my hosting provider

Consider switching. For a static site, consider Gitlab; they do a good job of permitting LetsEncrypt.

---

I sincerely appreciate the question, though. I have marketing people ask me this question all the time in private who hesitate to do so in public because quite a few security types berate them for not doing something "obviously" more secure. It's not at all obvious to most of the world's web designers and content creators that a static site should be TLS'd until it's framed (heh) in this manner. The fact that you asked brings about a massive educational moment.

Anyway, consider switching hosts. :)

[cmdrfred]

May I add an example. Let's say you are a drug company and you offer a number of different drugs. With TLS I only know that you are interested in a drug that company produces or the company itself, without it I know you or someone you care about has erectile dysfunction.

[spand]

No that is not all an attacker could know. TLS does not provide confidentiality of the number of bytes transmitted. So in your example an attacker would only have to crawl the public website and find the pages matching in size to the ones you have been browsing.

[mi100hael]

There are web server modules that will append random-length comments to the end of a page's HTML in order to foil this kind of attack

https://github.com/nulab/nginx-length-hiding-filter-module

[paulddraper]

Cookies, user-agent header, and keep-alives will make that very hard to figure out.

[rplst8]

Couldn't this be thwarted by injecting random bytes into each page served to vary the file sizes?

[cmdrfred]

Good point I hadn't considered that.

[libeclipse]

Using netlify with ghpages is extremely fast because of their CDN, A+ on ssl labs, and free.

[cat199]

Has google disclosed all investments in CA providers?

don't know the answer myself here.. there are good technical reasons, I agree..

but it is a logical fact that if google search was always 100%, there would be no need for adwords and site ads...

[pfg]

Google is a platinum sponsor for Let's Encrypt, which is slowly taking away market share from almost all commercial CAs[1]. They've also removed special treatment for EV certificates on mobile browsers (and are regularly thinking out loud about doing the same for their desktop browser), taking away most of the incentive for using a commercial CA (and not a free DV CA like Let's Encrypt). There's probably also a good chance that they'll offer something like Amazon's ACM (free certificates for various AWS services) as part of their Google Cloud offerings with their newly-acquired roots[2].

I think we can safely say that this would be a very weird way to go about earning a few bucks through CA investments.

[1]: https://w3techs.com/technologies/history_overview/ssl_certif...

[2]: http://pki.goog/