Thread: HTTPS certificate expired

I know that Google will soon be blocking all web sites that use http rather than the secure https protocol. They are trying to force the conversion.

It has not been all that long since this forum changed from http to https.

All web sites conducting financial transactions or that have login procedures certainly need to be secure. However, there are a lot of smaller "information only" web sites put up by individuals and non-profit organizations that will be effectively shut down until they are able to convert the web site over to https. This will become an impediment to free speech.

Originally Posted by RayClem

This will become an impediment to free speech.

Not really. Everyone can get certificates.

The problem is that even small mom and pop websites can cause damage if they are hacked.
For example, SRP has a module that allows you to pay for vendor status via a link to paypal. If an attacker can insert themselves at that point, they can steal money and perhaps even take over your paypal account. SRP may not be a small site in your definition. But even if a small site has zero financial ties, lack of encryption may enable an attacker to harvest personal information from a site, usernames, passwords, emails, birthdays, etc. And all that information itself can be used for identity fraud, credit card fraud, password guessing, etc.

HTTPS has one purpose only: to make sure that noone can read anything between your computer and the server hosting the website, and noone can insert themselves in the communication and pretend to be the client or the server.

With everything being connected to the internet, and devices with personal information being attacked from all sides, there is not a single good reason to use plain http. Every webserver supports https, including the open source webservers. All web clients support https, including the open source ones. And everyone who can register a domain can also get the certificates. In other words, there is absolutely no impact on free speech.

Security is not something anyone should ignore, and https has been around and mainstream for many years. And switching from http to https does not require investment. It is literally just a matter of doing it, whether you are an individual or NPO. Even wetshaversworkshop has switched to https and we are extremely small.

Btw, one argument you could bring up is how it may affect people running older webservers or systems that do not yet support that. Let me assure you this: ANYTHING that is old enough not to support out of the box https and is still connected to the internet has been subverted already and is acting as a tor node, a botnet node, or storage for malicious files. Websites are under attack day and night by spammers and hackers. I know wetshaversworkshop is and I imagine SRP is attacked on a daily basis by automated tools just looking for a way in. even my snailforge website which is pretty much ignored by everyone including myself, is attacked several times per day.

I had a web site running on a server belonging to a former SRP admin, and after I had neglected my site for a year, I got a call from him, asking me for permission to delete the entire thing because an automated attack had used a recently discovered vulnerability to get in and fill the harddrive with torrent files.

Free speech is unaffected, and anything that is old enough to not support https is running in zombie mode already.

No apologies necessary - thanks for your hard work!!!