[jbb555]

"The decision could encourage more sites to turn on encryption, which makes them less vulnerable to hacking".

What? This is entirely wrong. It makes them more vulnerable to hacking. There is a whole lot more complex software and configuration to get right, and we know SSL doesn't have a great recent history of that....

Of course it help secure the communications which presumably is what they meant but it's 100% wrong with the statement the article actually says.

[shawabawa3]

If you consider stuff like sniffing cookies to steal sessions as hacking, which most people do, then it's true.

In terms of compromising the server you're right

[claudius]

As somebody else pointed out recently in another thread, being able to steal session cookies can even help you attack the server directly, as authenticated users usually have more/different write access to databases and the like, making (e.g.) SQL injections easier. In this regard, even if you don’t consider it “hacking a website” if someone steals session cookies, HTTPS makes it more difficult to “hack websites” in the sense of “getting root access to the server”.

How that compares to the increased attack surface of the HTTPS implementation is of course up for debate.

[Someone1234]

That line caught me too.

It makes YOU (the consumer) less vulnerable to "hacking" (MiTM), it actually doesn't make the website less vulnerable and as you quite correctly pointed out somewhat more (just due to increased attack surface).

That's a large part of the reason HTTPS/SSL isn't more common: It doesn't benefit the website as much as it benefits their customers and there are both real and perceived costs in deploying HTTPS.

So you have to put pressure on them (websites) to adopt secure defaults. Google are now helping hugely.