So you’ve got a small website, maybe a blog or local company website, and you don’t collect any personal data or accept credit card payments, so you don’t need to worry about going secure and using HTTPS, right?
Wrong! Every website should be secure. All of them. Yes, yours!
The first reason that you need your website to be secure, is confidentiality. This definitely applies if you’ve got a login, are accepting payments, collecting any personal information, even allow an email to be submitted for newsletter subscription. It is really important to keep your users’ data secure and private, especially if you’re collecting the data of European citizens, due to GDPR. Having a secure connection means that no “man-in-the-middle” can read the data as it passes between the browser and your server, and vice versa. This is the main reason that most people consider.
Even if you’re not collecting any information (such as this website, which collects nothing), it is still important from an integrity stand point. By having a secure connection, the user can be sure that the page they are seeing is the same as when it left your server, no “man-in-the-middle” could intercept and modify the page, by inserting adverts or malware or whatever other malicious modifications they may wish to make. And even governments have been caught doing this. You don’t want your users to think these malicious elements are coming from you either, which they will look like they are.
Your users also want to know that they are actually talking to you. The argument rages on about whether Extended Validation (EV) certificates are better than Domain Validated (DV) certificates, but as long as you have a valid certificate, your users can check this in the browser, and be sure that the page has come from your server. This prevents against attacks such as phising, where URL obfuscation is often used to trick users. For example, https://аррӏе.com – now in modern browsers you will see the full Punycode URL, but you used to see “аpple.com” using a Cyrillic “а” instead of an ASCII “a”. They look exactly the same, but technically they are different. This specific type of obfuscation is known as a homograph attack, but equally websites rely on us careless humans to not notice that “http://paypal.myaccount.com” (belongs to MyAccount) is not the same as “http://myaccount.paypal.com” (belongs to PayPal).
Just in case I’ve not convinced you yet, here are some links…