It may be better to post this as an issue on the Phoenix site’s GH - perhaps include the link to the post in @Exadra3 's post?
Personally I don’t see https as a big deal for a static websites. Encryption also takes an extra bit of computational power and while not significant for a single site, when it’s millions of static sites what is the cost to the environment?
(This forum is hosted in a carbon neutral datacenter btw )
Is a big deal if you care that your readers cannot end up being fished by a man in the middle attack, like prompting them to give away some personal information as part of some campaign you are running, but that in reality is the hacker is running it in your site.
Offering the user of the site to download for example a free sample of your latest book in PDF that contains a malicious script embed and many more other scenarios…
The intense shilling to use SSL for static website is a little much. SSL for static HTML prohibits MITM, but not great from a privacy perspective. With SSL the ISP still knows exactly what pages you request, all your browsing activity is still logged. SSL actually makes the privacy situation worse because you can’t render from a local cache. A mixed bag.
Having said that, I myself just went thru the exercise, now that GitHub supports SSL for custom domains. You have to update your IP addresses with your DNS registrar (get the new addresses here https://help.github.com/articles/setting-up-an-apex-domain/), then turn off your custom domain, then turn on your custom domain again to trigger the generation of the SSL cert.
I’m pretty sure with HTTPS only the hostname (DNS request) and ip/port is exposed to the ISP since that is required for TCP/IP routing. The rest of the browsing history including full URL w/querystring in addition to the headers and the payload are all encrypted, so they can know what servers you are hitting but not what pages you are requesting. The DNS request is unfortunately insecure still but you can improve privacy a bit by using something like 188.8.131.52.
Good to know Github supports SSL for custom domains now… and I think since they are using Let’s Encrypt it’s free which is great!
“We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy […]”
I turned on SSL for my own static site. But to promote HTTPS as some sort of cure-all with no downsides is really ignorant.
If you get on your country’s intelligence services bad side, there is not much that you can do – that much is true.
That should not mean you must not make the lives of all other nosy organizations that much harder though. Given enough hurdles, attackers quit. Mass surveillance mostly works on the principle of gathering the lowest hanging fruits, not all possible fruits. (And as we all know, most people make it pretty damn easy to be tracked.)
I have friends who worked (and some still do) in ISPs. They say that they don’t bother logging anything except what the law mandates them to – namely which customers visited which IP when, that’s all (for 3-6 months). They all say logging customers is way too expensive for the ISP unless they are a country-wide mobile operator – and even then some don’t do it because they don’t want the extra expense.
That won’t stop a state-sponsored ISP from doing it, of course. With ongoing efforts to hide even DNS lookups however, even state-sponsored ISPs will face some really tough times Soon™.
Not so long ago, if you wanted to publish a dissident point of view, all you needed was a server and an IP address. Everybody in the world could access your information and you didn’t need to ask permission.
An SSL certificate is a license to publish, issued by a centralized organization that will necessarily bend to political pressure when it comes.
Did you ever notice that Let’s Encrypt requires you to renew your certificate every few months?
Fostering dependency on an infrastructural choke point is a power move.
Opt-In / limited SSL is fine. But I hope we reject universal encryption and the potential downsides it brings.