[quote=395315:@Marc Zeedar]Of course I don’t feel safe doing that and no one should – but that’s not what’s happening as the credit card info is only entered on the third-party processor’s secure site.
(I personally always look for the lock icon before I enter any personal info.)
I do get the perception thing, as some naive users (or overeager web browsers) might not realize what’s really going on, but making the site use HTTPS sounds like overkill to me.
I will research it, however.[/quote]
I used to believe that not everything needs to be secure. Thats why Xojos own site had a secure subdomain for some stuff, but most content came from the insecure main domain. Years ago, this was common practice. SSL used to come with a tangible monetary and performance cost.
These days, processors handle it so well and certificates can be had for free, the issue really becomes why not?
SSL provides integrity in both directions. It assures the content the user receives is the content you intended to send them. This is very important, because it protects the connection from being abused by a third party. This third party could be your ISP injecting tracking scripts - which may mess up your own JavaScript - or more malicious, such as a fellow coffee shop patron injecting a crypto miner into insecure pages. These are things your users wont see, but you may get blamed for.
Another possibility is how your SSL gets activated. Say you have a purchase button that directs to an SSL site. That button could be modified to direct somewhere else, like a phishing site. Maybe one designed to look just like PayPal.
The point is, if you care enough to put something on the internet, you should care enough to protect it. The goal is to minimize the potential attack surface between you and your users.
So once again, the question comes back to why not? Why are these protections not worth it? It doesnt cost you server performance, it doesnt cost you money, and even time spent is minimal. So… why not?