The prevalence free, fast and open WiFi networks has made it extremely easy for a WiFi eavesdropper (sniffer) to track your activity and perhaps even steal your identity cookies while you're connected to that network. While awareness is increasing; It's nowhere even close to what it should be. Here's why.

The internet is an inherently open platform, a large network of billions of interconnected devices. With increasing amounts of personal data stored on the web; it's imperative that we place a focus on data privacy and encryption.

For a long time, I figured that most major websites have 'solved' this problem by simply enabling (optional/mandatory) encrypted HTTPS traffic for all logged in users. Almost every major company has their services served almost exclusively using HTTPS. However, I do think that this is a "boil the sea" solution. It's naive to argue that every website should encrypt their traffic all the time. Encrypting everything just to protect one lousy identity cookie header seems like a whole lot of overkill to me.

There's no reason to encrypt traffic for anonymous, not-logged-in, not sensitive users. However, it's almost the norm today; especially with Google's Chrome update from January 2017:

Starting Jan 2017, all sites will show a "Not secure" badge when login, credit card or any other sensitive information is requested.over an unencrypted connection.

Additionally, Google is backing this by throwing their considerable weight behind this effort by ranking non-encrypted websites lower in search results. That's primarily why this blog is https enabled (and because I have to login to make posts).

But with more government spies and online hacking than ever, a new exploit seems to be released every day. I remain covinced that we should all adopt HTTPS as the norm, even if your website holds no sensitive information. HTTPS is the first, basic step of defense one can take to protect themselves on the internet. While this doesn't eliminate any potential threats, the abilities of "nefarious evildoers" is drastically limited.

Why?

  • You have an unalienable right to privacy, both in the real world and online. And without HTTPS you have zero online privacy - from anyone else on the networks you're connecting through. A 7 year old could be stealing your information - It's that easy.
  • The performance penalty of HTTPS is gone. In fact, HTTPS arguably performs better than HTTP on most modern devices.
  • Using HTTPS means that nobody can tamper with the content in your web browser. By this, I don't mean hackers. Imagine if your internet provider decided to put messages into all of your internet traffic; simply because you illegally downloaded a movie! And that's just the best case scenario of people trying to follow rules. What if someone decides that the rules don't apply to them?

HTTPS is not that expensive to implement anymore. HTTPS certificates are issued by trusted certificate authorities, and they cost lots of money (sometimes in the order of tens of thousands of rupees); purchased in perpetuity - which you must bear the cost for, every year. Without it, you can't encrypt anything.

Atleast, this was the case until Let's Encrypt was created by Josh, Eric, Peter and Alex. Let's encrypt is a 501.3(c)(3) non-profit organization based in the USA; supported by several notable organizations in their efforts.

Let's Encrypt is a free, automated and open certificate authority; most notably supported by the Linux Foundation, ISRG, EFF, Mozilla, OVH, Akamai and other partners

As of late 2017, they've issued over 100 million certificates using their free platform; and to my knowledge, are the only reliable and trusted source for free SSL certificates that has ever existed (in fact, this blog uses Let's Encrypt). The EFF has also built a tool called Certbot to make deploying these certificates dead simple.

If you're building a website, of any kind - I highly recommend Let's Encrypt before you consider hosting an unencrypted version.

However, because Let's Encrypt is a non-profit organization, that doesn't make a profit from each SSL certificate they issue, they need our support:

Personally, I've donated an amount to Let's Encrypt that equals what I would have paid in a year to my old certificate authority. I suggest that you do the same.

If you work for a large company, please urge them to sponsor Let's Encrypt to help promote a better, safer web for everyone.