In part 4, we looked at hardening default configurations and avoiding known vulnerabilities, but what other advantages are there to having our sites run HTTPS?
First, a recap of what we get by using HTTPS:
- Privacy - no one knows what are your users accessing
- Integrity - what is sent between you and your users is not tampered with at any point
HTTPS-only JS APIsMost of the newest platform features are only available if served via HTTPS, and some existing features, such as GeoLocation or AppCache, will only work if served under HTTPS too. For example:
- Service Workers
- Push notifications
- Background sync
- Adding to home screen
While this is 'annoying', because it complicates web development and makes it less accessible than it used to be ("just place some files on a folder and bam, you're done!"), it also makes sense to allow their usage over HTTPS only, because at the same time that these APIs add more power to the web platform, they are also capable of exposing more private data from users than the pre-HTML5 APIs, if stuff is transmitted over HTTP.
You can read about the reasoning behind this move in the Secure Contexts specification.
Hopefully, Let's Encrypt will help making HTTPS universally available for everyone--not just those fortunate enough to have the time and money required to obtain and install digital certificates.
Coming up next: WordPress considerations, and cool things you can do with WordPress and HTTPS.