Is HTTPS Always Necessary?

The hypertext transfer protocol (HTTP) is perhaps the most pervasive development on the Web, being the one thing that all websites use to send data to browsers. Its secure version (HTTPS) uses transport layer security (TLS) to enhance the communication between you and the websites you browse by ensuring their privacy.

If you’ve been on the Internet since the late 90s, you’ll probably notice that since 2007 the ubiquity of “https://” in URLs has increased almost exponentially. Is using HTTPS everywhere necessarily a good thing?

httpsweb-crypt

HTTPS works by encrypting your connection to the server in such a way that your communication cannot be sniffed by a third party. If a website gives you a cookie (for your login session, for example), anyone who grabs your cookie can act on your behalf from their computer, essentially making them an impostor. By making the connection private and encrypted, such a thing is much less likely.

The problem with HTTPS historically has been the cost of implementing it as a host. You had to have a lot of processing power back in the day to be able to encrypt the thousands of connections larger websites had to handle. The prohibitive cost (at least in terms of computing power) needed to run an HTTPS website is no longer a factor because of the impressive amount of speed that even the most affordable CPUs have boasted in more recent years.

This still begs the question: is it always necessary to use HTTPS on a web server?

httpsweb-masm32

You’ll see lots of major initiatives trying to promote the use of HTTPS in every situation on every website everywhere. With one broad brush, they wish to paint the entire world in the hue of encryption. This gives people the perception that it is a necessity in every situation.

The idea that HTTPS must be used in everything and the truth are, as usual, parallel to one another. The truth is that HTTPS is only useful in situations where data related to you personally is being exchanged. Allow me to explain. When you log into Facebook or whatever you use to distribute memes, you send intimate data about yourself, such as your username and password, to the company’s servers. That should be encrypted if you don’t want third parties to have access to it, especially when you are connecting through a public Wi-Fi hub.

But what about static sites that are there to send you information about themselves without ever asking for any data from you? These kinds of sites are a bit of a rarity nowadays, but they’re still around. Frankly, they do not need HTTPS to maintain your security. And if they are sending their data indiscriminately, it’s likely that they don’t need to keep it private.

There are many sites out there that use HTTPS without it actually serving a productive purpose, but they are few and far between. The reason HTTPS is the go-to option for most web hosts is because it is so easy to implement in this day and age. The low cost in terms of processing power barely shows up as a blip on the radar. The general market has decided that it is easier to just slap HTTPS on everything and not debate whether or not it should be used as a way of saying “better safe than sorry.”

Whether or not HTTPS should be used everywhere is a question whose answer won’t change the way the Web marches on. It’s already being answered by millions of individuals acting on their own accord, and that answer seems to be a resounding “yes!”

Do you think that HTTPS should be debatable on an individual basis? Or would you rather only visit sites that use it? Tell us your reasoning in a comment!

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.