ISPs / other middlemen can monitor and modify unencrypted traffic. In Egypt, Syria and Turkey for example ISP’s injected malware into unencrypted sites that led people to install spyware when attempting to download legitimate programs (link). Other state actors have changed the content of news media, etc. Without HTTPS you lose the ability to trust the integrity of a given webpage.
I worked for an authority that issued digital certificates for SSL and digital signatures. It's not only about providing encryption but also about trust, when a top level entity issues a SSL certificate, a number of identity validations are carried out, adding an extra layer or confidence on that website.
This may seem inconsequential for static websites without PII, however most browsers consider it important as it reduces the risk for all parties involved when encrypted communication is used and the content providers has taken basic steps for Identity verification.
There are logic flaws with this approach to security imo, but it's the most commonly used technique at the moment.
That “usually” is doing a ton of work. I remember Vodafone injecting scripts into webpages many years ago. While trying to find a source, I bumped into other shenanigans.
That’s not a valid defence, it’s moving the goalposts and whataboutism. ISPs shouldn’t be bad actors at all and they have the ability to do the most harm.
Maybe if they live in a high income country with relatively strong consumer protections and are using their home ISP. But quite a lot of the internet is very much not that.
In some places and on some networks, MiTMing http traffic for undesirable use-cases is routine.
Because securing things that don't need to be secured (which is most of the Internet, frankly) is a waste of time and effort. Unless you are handling credentials or other sensitive data, you don't need TLS and shouldn't bother.
Perhaps you don't understand what HTTPS does. Which is totally fine! Lots of people don't really get it (or even need to). But yelling "buzzwords" for the things you don't understand doesn't make the usefulness go away.
For someone so wrong about this, you're very opinionated! It's quite a dangerous mix. Thankfully, not dangerous to me, so I can just have a little chuckle and move on.
Security is: confidentiality, integrity, availability. HTTPS gives you two of those. Well, as long as you trust the CAs that came installed on your computer that is.
There are zero buzzwords. I was just being vague because again, the cost of just flipping https on is negligible, it's literally more work to have this conversation and work out all of the details of exactly what attacks you're protected against.
It is never worth asking "should I even do https?" The only variation worth considering is "is https enough?" And even then, start with https and then build on top.
It does quite a lot for security. It prevents evesdropping (to an extent, better with esni), disallows ad/malware-injection or content modification, and prevents credential sniffing. It does all that against most reasonable attackers, up to around the rough ballpark of nation states.
All for the price of about the same amount of work that it took to read this message.
"Https is only for credit cards" is some serious 1990s bullshit.
Chrome labelled sites as Not Secure if they didn't user https since 2018. Most people didn't like that label showing on their website address, so it was a clever way to shift everyone.
Years before that the free certificate authority Let's Encrypt was established (there are now several more), so for most people using https with your website is just configuration, not an extra cost. On top of that some http protocol versions are now https only.
Perhaps they shouldn't but that forced the hands of many who would have otherwise dragged their feet for another century.
I get bothered by it, Chrome doesn't even allow to confirm and proceed at the boom of the warning page anymore, but there is some flag you may disable if you feel safe about all your visits.
Hopefully Google will start flagging ipv4 servers too. And one day block them by default.
Would you trust handing a sack full of money to a stranger and tell them to bring it to the bank for you or do you hire an armored car service?
We need https because the modern web browser isn't a trustworthy or secure program. A web browser isn't a sandbox so code can be injected into an insecure http stream to force the browser to compromise the machine it is running on. This is just the state of the internet - there are literal highwaymen in the form of malicious routers and other networking hardware on the internet. https is unfortunately the ony way to ensure the highway for your data is secure and the data arriving to you is trustworthy.
The only way to avoid this is to use a browser like netsurf that eliminates the insecure modernity or dont use the web.
It hasn't been retired. Using HTTPS everywhere is cargo cult nonsense. Most sites do not benefit from it, and the push to have it everywhere is obnoxious as hell.
It was obnoxious, let's encrypt solved that from the operator's perspective.
Man in the middle attacks are very real. A good ratio of routers get hacked during manufacture, or have a backdoor that get exploited by other hackers. an http hits make these exploit even easier to execute. Public WiFi are often insecure, https works around that problem (for the most part).
From an attacker perspective, widespread https has become obnoxious, yes.
If you only secure the login you will be sending your session cookies unencrypted for the other pages and they can be intercepted and used to impersonate you.
