This post was created to answer the entire pool of questions about “do I need to install SSL on my site” in one link. It’s a big misconception that only online stores need SSL, all websites need it. So, the very relevant answer to the big question about SSL is:

Yes, your site needs HTTPS!

I will try to answer popular questions of inexperienced webmasters and site owners. If there are still more - write in the comments, I will complete the post.

But there are no forms on my site and it does not collect information from users

No matter. HTTPS protects more than just data transmitted through forms! HTTPS keeps the links, headers, and content of all pages you click on private.

There’s nothing secret on my site, my visitors have nothing to hide

**It doesn’t matter.## You are responsible for the site and what’s on it. And ISPs embedding their code on websites without warning is a common story. Are you sure you want your site to be able to change everything, upload third-party scripts, images, ads and shit like that, and most importantly - to make it look like you put it all there (you are the site owner)?

There are a lot of examples. Huge companies like Comcast are not at all squeamish about injecting their code, airlines also do so very often, in China it is generally the norm (though who is surprised by this).

In Russia, too, you don’t need to go far for examples. I had such an example when I used Beeline. Even though they didn’t show ads, they added a piece of themselves to the pages. It turned out that this is such a feature and is disabled in the settings. Immediately disabled, a piece of Beeline disappeared, good. Although I should not have looked at the code then, especially before and after the changes in the settings. For some reason I am very sure that the foreign code on the sites has not disappeared.

By the way, hiding only important traffic is not the best way. That’s how you designate a “target” for a potential attacker. Encrypt all of your traffic so that attackers don’t focus on any particular section of your site.

My site is HTTP, but all data is transmitted over HTTPS.

This option is even worse than not using HTTPS at all, it gives a false sense of security. If you send form data from an unencrypted site, there is nothing stopping an attacker from making the necessary edits on your unencrypted site beforehand, and you will send everything you need. Install encryption on ALL site, must do redirect from HTTP to HTTPS, must be 301, remember about seo.

I don’t have the money for an SSL certificate

Right here is free.

HTTP is hard to install and maintain

If you have Vesta, very easy. You can also here choose how you want your certificate generated.

Hackers can spoof my site even if I install HTTPS.

Yes, but then the browser will show invalid certificate warnings. Remember that SSL guarantees the authentication of the site, not its invulnerability.

HTTPS won’t save you from DNS lookup

What is DNS lookup - reverse DNS lookup.

Of course it doesn’t, but it shouldn’t. And is that a decent reason not to encrypt data between your site and its visitors? Hint: no.

HTTPS is slow!

Where did this information come from anyway? All from the same SEO who doesn’t know the subject but is giving advice? No, connecting SSL will not slow down your site.

Scam sites use HTTPS too!

So what? Is that a reason not to use certificates yourself? No.

The ads on my site only work over HTTP

Too bad your advertiser doesn’t care about his and your traffic. This in no way invalidates the fact that you need HTTPS on your site, but only provides an opportunity to find a new advertiser or affiliate. Yes the same AdSense can be temporarily put. And what kind of advertising is so interesting that does not work over SSL? Write in the comments and I will help you solve your problem.

My site is available only in my region or only through VPN

Are you so sure about the company hosting all this that they don’t care about your visitors’ traffic? If you’re not sure, go with HTTPS.

We store encrypted passwords!

Cool, but it doesn’t matter here. Passwords aren’t stolen from your database, they’re stolen “from the user’s browser”.

HTTPS is bad for SEO

Not at all. On the contrary, Google and Yandex representatives have already mentioned several times that SSL connection in the