I'm going to build a WP site for the first time and I'm uncertain as to whether or not to use HTTPS protocol. I read: ""HTTPS increases security with the cost of Server’s computing power. There is absolutely no need to serve a HTTPS webpage, when there is no question of any privacy. . Moreover it takes more time to get a HTTPS webpage rendered on Browser when compared to a HTTP webpage. This is due to the required negotiation time of the server to authenticate the GET request."" The site will not be interactive, and it may have some volume. I have 2 questions: 1) Is HTTPS a reasonable security measure for such a site? 2) Is HTTPS often a problem in bogging down loading speed?
Use of HTTPS should reduce the possibility that a MITM could tamper with your content and/or your visitor's browser. Such as an ISP, public AP, and/or other bad actor injecting advertising/tracking, malicious Javascript, etc. It should also reduce the amount of information that intermediaries could acquire by observing your visitors' traffic while they are at your site. So it is a good thing to at least offer to those who who want to use it. If you support both then you can perform your own comparisons. I haven't done one, but I've seen website operators and web developers present their own HTTP vs HTTPS comparisons. IIRC those gravitated towards "yeah there are some performance/overhead differences, but not as bad as we thought and those concerns are outweighed by the benefits of HTTPS". I kept no bookmarks but I'm sure you could locate such articles by searching.
Agreed. As a matter of fact, I didn't notice any slowdown when I switched my homepage to HTTPS (I haven't done any serious performance test, though, so it's just my gut feeling). One aspect to consider is the fact that for some time past Google (and possibly other search engines) favors HTTPS sites over HTTP sites in their rankings.
I also agree with @TheWindBringeth You can look at this: https://www.eff.org/https-everywher...ite-to-support-https-compared-to-regular-http
Thanks for those replies. "So it is a good thing to at least offer to those who who want to use it." Hmmm... I suppose that raises another question: how many people would want to use it? It might be awaste of resources if very few use it.
The thing is that over time HTTPS is becoming the standard more and more as Google, Mozilla etc. are pushing it. And as said above, HTTPS increases the likelihood that your site will be found in search engines as it improves its position in the their ranking.
CPU hardware encryption and speed make this way less of an issue that it may have been a few years ago - 1 or 2% are the figures I've seen. I'm a bit bemused by your attitudes, both to your users and to your own "brand". You ought at least to give your users the option - it's their privacy and MiTM attack surface, not yours. They may have many reasons for not wanting others to know what they've been reading. From your perspective, as a "brand", I'd say that having http only is amateur these days, people would expect that option on any serious website. With the EFF certificates, it's not a significant financial or technical burden.
I think the attitude of savvy users would be: use HTTPS unless there is a good reason not to (which is rare). Many ordinary users have also been taught to use ("want") HTTPS wherever possible. It is hard to predict what the actual numbers would be. Factors would include the nature of the site and content, how it gets indexed in the various search engines, what URLs are shared or published elsewhere, whether the site is supported by HTTPS forcing extension(s), etc. As well as how things play out in the future. One significant aspect being how browsers/apps present HTTP to users. For example: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Thanks for those replies. I take it that using https 'on the administrative side' is (1) a different process, and (2) more required for good security, or so I've surfed. Yes? [I got some of that notion here: https://codex.wordpress.org/Administration_Over_SSL]
