Is This Website "Unsafe"?

Nonsense. You probably got that from the Google Chrome browser. Google makes money from their advertizers, and some of their advertizers make money selling certificates for website encryption. Follow the money.

Does encryption make a website "safe"? That depends on what you are trying to do. The function and purpose of encryption is to hide things, so if the purpose of your website is to hide things from the public, encryption is a way to do that. A better way to do that is to not put it on the internet. Nothing is really safe on the internet, not even if it is encrypted (see "Layered Insecurity"). My website has nothing to hide, so encryption, which prevents legitimate users from legitimate access to public information, is counter-productive.

Some "experts" might tell you that encryption protects information from corruption, but it's not true. The easy way to corrupt data on a website is to change it on the server's hard drives. Good Guys and Bad Guys alike know how to do that, and it happens before any encryption, so the encryption (if any) only protects the already corrupted data. Theoretically it is possible to intercept the good data in transit and substitute corrupt data, but to do that requires physical access to the cable somewhere along the line. It could happen on the server premises, but anybody with access there can corrupt the data on the hard drives much more easily. It's not going to happen on the telephone poles -- and even less likely in underground cables -- because you need power and a bulky computer and hard-to-attach cable connectors to do the dastardly deed. It might happen on your own premises, where the internet enters your office or home, but you (or the security guys in your office building) would notice the villains. Most internet service providers do their own encryption (to prevent freeloaders) so there are not many places where you could actually do that. Or it could happen by a virus inside your own computer, but again, that's outside the coverage offered by encryption.

If a website is offering secret data to a few people with passwords, Bad Guys on the same local network -- perhaps in a vacant office in the same office building, or on an unencrypted WAN -- could watch the data go by (they cannot alter it, but they can look), and learn the secrets if it's not encrypted. But like I said, my website is public information, I have nothing to hide, so encryption offers no benefits and considerable downside.

Mostly Bad Guys are the ones with things to hide. Maybe that's why some people are pushing encryption: If only secrets are encrypted, then the cops and robbers know who to spend their efforts on to expose those secrets, but if everything is encrypted, they can't tell the secrets from the public information. I have no desire to help Bad Guys do Bad Things, so I believe an unencrypted internet is in the public interest. Other people may have other opinions, but they are wrong ;-)

See also my blog post three years ago "Secure Websites"

Tom Pittman
2017 April 26, Rev. 21 May 29