Why do you have to prefer HTTPS over HTTP

[Bl4ckCyb3rEnigm4]

These two transfer protocols allows communication between different systems. The difference between HTTPS and HTTP is that HTTP isn't encrypted(in the case you want to know more https://www.aiowares.com/showthread.php?tid=1537). 

HTTPS supports SSL a certificate used to encrypt the data that is sent and decrypt the data received, instead HTTP send the data unencrypted, making HTTP more vulnerable to MITM(Man In The Middle) attacks. MITM is an attack where the attacker secretly relays and possibly alters the communications between two systems.

Let's say you're buying something from a e-commerce site and someone is trying to steal your credit card information, in the case you use the HTTP version, the attacker will see all the information in clear, instead using HTTPS the attacker will receive only encrypted data, making the attack more complicated or even impossible.

I'm not saying that HTTPS is flawless, everything has a flaw, it's only a matter of time.
The use of an insecure encryption algorithm can render the protocol useless.


Maybe you'll end with the question: "How can I force the browser to use the HTTPS when available?"
Well, there is a plugin that redirects you to the HTTPS version where available:

Code:

https://www.eff.org/https-everywhere

[deadmeme]

Thanks for the short but clear write up on how http and https works. I think this will make the people that didn't know before start enforcing htttps on their sites and servers.

[Lewis3545]

Frankly, if any website loads as http and doesn't force me over to https, then I'm already concerned about their security enough to walk away

[dyxtro]

https is so simple to configure nowadays. If your site uses http instead of https it's just being lazy instead of lacking technical skill

[Oye_Vey]

Let's Encrypt has been a sea change for allowing people to freely HTTPS their websites and services.  Last year it allowed me to switch mine over to HTTPS.  There is a docker image called CADDY that makes it even more convenient than doing it with NGINX etc.

[Phaellow]

There's some compression algorithms that only run on most recent versions of SSL/TLS, so even for static websites, it ends up paying off to use HTTPS because it will have faster transfer speeds.

[Skunk1966]

Thank you for sharing

use the "Add Thank You" button instead of replying with "Thanks, "Thank you" or any simlilar reply.
I suggest to read the forum rules here: https://www.aiowares.com/showthread.php?tid=2
Also read the topic about member ranks here: https://www.aiowares.com/showthread.php?tid=420

unneccessary reply removed

[nsan3]

There are a couple of sites that I visit which does not enforce 'https' , what is mean is, imagine if I add the URL like 'http://abcd.com' , it progresses through.
I hate this because the same website does have the 'https' protocol , which is in my imagine way safer than the 'http' one.

[yyjh]

Let's Encrypt has done a big change to the internet, that is for sure. But the biggest problem of Let's Encrypt's certificates is that most normal people see that little green secure lock at the address bar, they tend to think the website is legit and without any problem. Let's Encrypt has issued a lot of certificates, but has done too little explaining https is not risk free.

[boxesofkittens]

Just saying that Firefox already has a "force HTTPS connection everywhere" setting. Works pretty good.