You may have noticed that our website now has HTTPS in its URL. This is because we have taken the decision to upgrade the site security for the reasons stated later. For some time we have delayed this implementation, primarily because we felt that the site itself did not need this extra level of complication. There is no doubt that certain sites (such as on-line banks) need high levels of security to protect private data that is being communicated with other personally identifiable information. But is it really necessary on this site where users/members aren’t providing sensitive input?
First, some background: HTTPS (short for Hypertext Transfer Protocol Secure) ensures that data traffic to and from websites is transmitted securely, through both encryption and authentication. Encryption refers to the use of cryptography to communicate data in a way that only the intended recipient can read. Authentication is a process of verification that the server you’re connecting to is the one that we (QDMOA) intended you to reach, and relies on a number of trusted sources, called Certificate Authorities (CA). When a certificate is requested for a domain name, the issuing CA is responsible for validating the requestor’s ownership of that domain. Through both validation and encryption our site’s visitors can be assured that their traffic is privately reaching its intended destination, and not being intercepted, inspected or altered.
There are pros and cons regarding whether to implement HTTPS and when to leave a site insecure. Originally, HTTPS was limited to cut-and-dry cases such as those where payment transactions or login details need to be secure. Arguments that such levels of security are not always necessary usually revolve around the costs of certification, the modifications needed in setting up proper HTTPS redirects, and the time taken by the verification process itself which can slow down access to certain sites. However, over recent months and with the implementation of GDPR, demand for certification has ballooned and processes that were once complicated and becoming easier to implement.
In addition to concerns over GDPR, web browsers (led by Google) are now marking non-HTTPS sites as “Insecure” and blocking sites that should otherwise raise no security concerns whatsoever. Overkill such as this is forcing site owners to be more security-conscious than ever
The wider internet is rapidly adopting improved security standards, and the majority of web traffic is now being delivered via HTTPS. We have decided to go the same route and provide our users with the assurance that their traffic is private, and avoid our web pages being flagged as “Not Secure” by popular browsers. Secure-by-default is the proper way to go, and while some of our users may never notice, we hope that those who do will appreciate it.