@Marc Zeedar : it doesn’t matter what you think but what customers think. And they have been taught that https makes them safer and “website is not secure” is scary.
Personally, I think that this is BS and - of course - you are right. But what do I know? My favorite time wasting website has troubles with their certificate now and then, which is kind of ironic. I need to wait until they have sorted this out because the browser tells me that the website is bad, bad bad.
[quote=395171:@Marc Zeedar]I guess I could, but what would that accomplish?
Nothing would change no user information is ever entered on my site, only on the HTTPS connection of the third-party processor. Since that’s secure, why does my site need it?[/quote]
https://doesmysiteneedhttps.com
This isnt a tongue-in-cheek response like Let Me Google That For You. It gives you real reasons why it matters. Take it seriously.
On the other side is the argument that Google is trying to see if they can control the web.
http://this.how/googleAndHttp/
I’m on team “if it doesn’t ask for any user data, HTTPS isn’t required. If there is any input field on the page it should be secured.” I think it’s a fair balance for letting the archived internet pages live on, while protecting the less than savvy users’ data.
Marc, you might consider just using Gumroad external pages (like a traditional shopping cart) if you don’t want to set up SSL. This way your site remains the way you want, and the customer is “assured” their purchase is secure.
Edit: Linkified
To quote a local COMSEC officer with one of those 3 letter agencies - “This is another big brother, knee-jerk reaction to a problem that only exists because users aren’t properly aware of their system’s weaknesses. So long as users are allowed to access the internet with less than no training, this problem won’t go away no matter how secure legitimate entities are made.”
He also related how their team has also uncovered in-the-wild examples of CA spoofing through DNS injection.
[quote=395283:@Tim Jones]To quote a local COMSEC officer with one of those 3 letter agencies - “This is another big brother, knee-jerk reaction to a problem that only exists because users aren’t properly aware of their system’s weaknesses. So long as users are allowed to access the internet with less than no training, this problem won’t go away no matter how secure legitimate entities are made.”
He also related how their team has also uncovered in-the-wild examples of CA spoofing through DNS injection.[/quote]
None of that means that steps to improve the situation shouldnt be made.
[quote=395171:@Marc Zeedar]I guess I could, but what would that accomplish?
Nothing would change no user information is ever entered on my site, only on the HTTPS connection of the third-party processor. Since that’s secure, why does my site need it?[/quote]
Do you feel safe writing your credit card details on an unsecure website? Maybe
Do your visitors feel safe writing their credit card details on an unsecure website? Possibly not
Do your visitors right-click the form to inspect the html code and check that it is posted to a secure server? Certainly not
The forum censored J E R K 
You are correct, but what is the right way? https isn’t it, that’s a band-aid.
[quote=395288:@Tim Jones]The forum censored J E R K
You are correct, but what is the right way? https isn’t it, that’s a band-aid.[/quote]
TLS is the answer. We need encrypted DNS. It exists, but its been difficult getting it widely adopted.
[quote=395287:@Jeremie Leroy]Do you feel safe writing your credit card details on an unsecure website? Maybe
Do your visitors feel safe writing their credit card details on an unsecure website? Possibly not
[/quote]
Of course I don’t feel safe doing that and no one should – but that’s not what’s happening as the credit card info is only entered on the third-party processor’s secure site.
(I personally always look for the lock icon before I enter any personal info.)
I do get the perception thing, as some naive users (or overeager web browsers) might not realize what’s really going on, but making the site use HTTPS sounds like overkill to me.
I will research it, however.
[quote=395315:@Marc Zeedar]Of course I don’t feel safe doing that and no one should – but that’s not what’s happening as the credit card info is only entered on the third-party processor’s secure site.
(I personally always look for the lock icon before I enter any personal info.)
I do get the perception thing, as some naive users (or overeager web browsers) might not realize what’s really going on, but making the site use HTTPS sounds like overkill to me.
I will research it, however.[/quote]
I used to believe that not everything needs to be secure. Thats why Xojos own site had a secure subdomain for some stuff, but most content came from the insecure main domain. Years ago, this was common practice. SSL used to come with a tangible monetary and performance cost.
These days, processors handle it so well and certificates can be had for free, the issue really becomes why not?
SSL provides integrity in both directions. It assures the content the user receives is the content you intended to send them. This is very important, because it protects the connection from being abused by a third party. This third party could be your ISP injecting tracking scripts - which may mess up your own JavaScript - or more malicious, such as a fellow coffee shop patron injecting a crypto miner into insecure pages. These are things your users wont see, but you may get blamed for.
Another possibility is how your SSL gets activated. Say you have a purchase button that directs to an SSL site. That button could be modified to direct somewhere else, like a phishing site. Maybe one designed to look just like PayPal.
The point is, if you care enough to put something on the internet, you should care enough to protect it. The goal is to minimize the potential attack surface between you and your users.
So once again, the question comes back to why not? Why are these protections not worth it? It doesnt cost you server performance, it doesnt cost you money, and even time spent is minimal. So… why not?
Google now flags sites that are not HTTPS capable.
Technically, the CC info is entered on your unsecure site and sent to the secure site. At least with the GumRoad popup thingy, the other method of checkout is fine.
Nice
And i bet it wont take too long until Browsers stop loading non SSL Sites without having the user to explicitly allowing this in the Settings (which most users never touch…).
First there was just a Lock Sign, then the red/green colored URL’s, next will be a Banner with a Warning, then a Nag-Message and finally the “i won’t load it” Setting.
Serious: And i hope, one day we will encrypt every Byte on the Internet. No matter which content it Forms once the Bytes reunite again. 