The massive speed benefits to HTTPS with http2

A major bonus to using HTTPS is the ability to use http2 to get faster parallel downloading allowing sites to load up to 90% faster depending on the number of embedded resources. You can read more about this on the post by Scott Helme at

“only users with bad ISP’s will have content changed”

While the main risk people see is that an ISP can modify HTTP content (yes they are), we do have other ways that users can be attacked using HTTP, and it can all be prevented using HTTPS. You can check out the Troy Hunt article about it called Why Your Static Website Needs HTTPS (also a video). If you want to know more about how users can be affected when it’s not the users ISP just read below.

Wi-fi Pineapples

We have devices in the wild called Wi-fi Pineapples that can force users devices to connect to it by mimicking real networks the user trusts like a home network while out and walking about. Using this the network can inject anything including malware into any HTTP page. But this is the key, the user must load a webpage (easy as they know they only connected to trusted networks) and the page they open is NOT using HTTPS.

It’s not just the users ISP

It does not always need to be the users ISP, it can be one of the many dozens that a page page can travel using before reaching the user. You see when a webpage is requested it can travel over a lot of different networks before reaching the user, the farther the user is from the origin the more networks it can go over. Here we loaded and recorded the networks the data is transferred over.

As you see at the top is the network the user is on, in this case the ISP is Shaw Cable, and goes over many devices and networks before reaching the host at At any point during this any infected device can modify HTTP requests and make changes. It only takes one infected system.

“This person is offering to install a “SSL” for me, at a cost”

Watch out for people who are doing this, the move to HTTPS has made people show up everywhere offering to install “a SSL” (TLS certificate aka enabling HTTPS) at a low cost. HTTPS is FREE and any web developer can easily set it up using Cloudflare or using Let’s Encrypt. Only allow the people you trust to modify your site and server. If you are in doubt and did not setup your site contact your host or the person who help setup your site.

“Google is going to start lowering my ranking in search for not having HTTPS”

Actually they gave boosts to sites using HTTPS in rankings over a year ago and they are just expanding this. They also announce all this back on Wednesday, August 06, 2014. You can read about it on the Google Webmaster Blog: HTTPS as a ranking signal, or view the Google I/O 2014 – HTTPS Everywhere talk.

This is nothing new and not the reason for the move to HTTPS but it’s an indication that sites that do not update contain outdated information or are untrusted sources because of the lack of resources and updates. Updating to HTTPS is easy and free as you can see on this page.

The web is moving this way, setup HTTPS or get left behind

There is one simple thing about all of this, HTTPS is moving forward as majority of traffic is already over TLS. So you can get on board or get left behind as a relic of the past.

I’m astounded to see people still arguing “my site doesn’t need HTTPS” so I’ll put it simply: either spend a few mins putting it on your site now or continually explaining to your visitors why your site is not “not secure” until you end up doing it anyway. It’s not a negotiation.

Troy Hunt on Twitter.

“My site does not collect information from users so I don’t need https”

False, without HTTPS content can be intercepted and modified, and this happens all the time.

My ISP is blocking sites by displaying Ads, a little research revealed that ISP is doing it. The source of that advert contains my ISP’s name in it.

Time Warner Cable is inappropriately injecting ads into various web sites via its TWCWiFi hotspots.

Telkomsel (ISP) is injecting ads onto sites.

AT&T hotspots are tampering with HTTP traffic and injecting ads.

Comcast Injecting ads “injecting this into every non-https website i visit is really, really, really, really pissing me off”

“Google is doing this to take over the web, and to remove HTTP” & “Google is just doing this for them”

No Google is not. They are following the lead of the other browsers like FireFox and Safari. Google is just doing what the users of the web are asking it to do. We in the security field are asking for a HTTPS always web to protect users. Thats why over we are passing 75% of pages are loaded over HTTPS.

According to Google’s HTTPS encryption transparency report, over 70 percent of pages loaded in the US are using HTTPS in Chrome in 2017.

Did you know Firefox actually started a lot of this by marking any page with a input even a search box as Not Secure on the top of the browser. Safari also added this in the Developer builds in MacOS Mojave. This is nothing new, Google is just pushing for a HTTPS only web like the other browsers.

HTTPS is NOT hard to enable, it’s quick and completely free!

No it really is not, and a good resource for this is that shows video steps on how to enable HTTPS using Cloudflare and then goes into more advanced steps if you want to. Using HTTPS is not only easy, but it is completely free.

You have many options like installing Let’s Encrypt on your server, or the most simple way, just use CloudFlare for your DNS and enable HTTPS only view this page to see how to turn on HTTPS via CloudFlare.

Setting up HTTPS with CloudFlare for free

Using Cloudflare for HTTPS is easy and free, just create an account and click on add site on the top right.

Once you follow the steps just turn on the cloud icon next to your DNS entry for your domain including the www. sub domain.

Now visit the Crypto tab at the top and go down to Always use HTTPS and enable it.

Now look at that, you have HTTPS all setup. If you need more help or a video tutorial you can find video steps by visiting