Hacker News new | ask | show | jobs
by matrss 900 days ago
> If the data is public and no login or personal/sensitive data is involved why do I need https?

Do you care about if the data actually comes from your weather forecasting service and was not tampered with by a third party? Then you need https as well.

A different example: a podcasts website I've seen was served over http, and someone argued the same (data is public, no login). The page contained an IBAN for donations. That would be a valuable target to replace as an MitM.
1 comments
ulrischa 900 days ago
No need for encryted data transfer here. Proven authority would be enough
link
matrss 900 days ago
I am not familiar with the term "proven authority", but I assume what you mean is that it is enough to prove the authenticity of the data in this case. Yes, a cryptographic signature of the pages content would be enough here, but then you would still have some kind of PKI and cryptography involved and in the end https is the best supported approach for that.

Defaulting to full https also has the advantage that you don't have to re-evaulate if you should be using https in the future, when you make some changes to the functionality or content of a website.

link
AndrewDucker 900 days ago
HTTPS is the method by which authority is proven.
link