AS4 | Evan Hoose

Why I don't use HTTPS, and why you should.

Why I don't use HTTPS

I do. This was outdated. I also serve this site on http for anyone who can't access https for some reason.

Why you - yes you - should use HTTPS, at least as an option.

Even for sites which are accessed on devices or from networks which can't handle https for whatever reason, you should still use https.

You can get a cert for free from LetsEncrypt. If you're using Nginx or Apache, there are modules available to automate LetsEncrypt certificate installs, and if you're using Caddy then it will automatically be configured for you under most circumstances.

While there is an argument that doing this cedes too much control of the web to nebulous entities (the central CA's), please keep in mind those who are living in locations where the ISP's cannot be trusted.

There are known cases of ISP's tampering with code in transit. For those of you in the US who don't care about other parts of the world, please note that the last link is in reference to US ISP's.

Unless you're signing your code, you can't trust that it's being delivered the way you sent it.