Here's Why Your Static Website Needs HTTPS


Here a great post from Troy Hunt (@troyhunt)

Here’s Why Your Static Website Needs HTTPS

It was Jan last year that I suggested HTTPS adoption had passed the “tipping point”, that is, it had passed the moment of critical mass and as I said at the time, “will very shortly become the norm”. Since that time, the percentage of web pages loaded over a secure connection has rocketed from 52% to 71% whilst the proportion of the world’s top 1 million websites redirecting people to HTTPS has gone from 20% to about half (projected). The rapid adoption has been driven by a combination of ever more visible browser warnings (it was Chrome and Firefox’s changes which prompted the aforementioned tipping point post), more easily accessible certificates via both Let’s Encrypt and Cloudflare and a growing awareness of the risks that unencrypted traffic presents. Even the government has been pushing to drive adoption of HTTPS for all sites, for example in this post by the National Cyber Security Centre in the UK:

all websites should use HTTPS, even if they don’t include private content, sign-in pages, or credit card details

Simply put, any non-secured traffic served over HTTP can be intercepted (MITM) and injected (thanks JavaScript!),
and it’s not about protecting your content as a host but protecting your users viewing that content.

Do watch the video, it is all clearly explained there