If you're reading this blog post on eggerapps.at, you might have noticed there's a small lock icon in your browser's location bar now. That's because my website is now served exclusively via HTTPS.
Why HTTPS is important
When using HTTPS instead of HTTP, all data is transferred via an SSL connection. SSL has two advantages. First of all, it encrypts all data in transit, so that it is impossible for attackers to listen on the network. Encryption is of limited importance for eggerapps.at. Everything here is public, and I don't store any private information.
The second advantage of SSL is that all transferred data is digitally signed with a certificate. This guarantees that no one is changing data in transit, and no one else is pretending to be eggerapps.at. And that is very important because it guarantees authenticity when you download one of my apps.
If you download an application using HTTP, you have no guarantee that the app wasn't tampered with in transit. An attacker could run a proxy server that sends you a manipulated copy of the app! The app could contain a backdoor that spies on you, or allows an attacker to remote control your computer.
Limitations of HTTPS
HTTPS uses a private key stored on the web server. If someone breaks into my web server, and steals the private key, they can pretend to be eggerapps.at. In this case I could revoke the corresponding certificate. But if I don't detect the intrusion, no one would know that someone can impersonate me.
Additionally, you need to trust the certificate authority (CA) that issued my server certificate. CAs guard their private keys closely, but more than one CA has been breached in the past.
HTTPS doesn't protect you against governments; they could force CAs under their jurisdiction to issue fake certificates. Or maybe they could convince my hosting company to send them a copy of my private key.
Last but not least, you still have to trust me. Even with HTTPS, I could simply include an evil back door in my software myself.
If you connect to my server via HTTP, the server will redirect you to HTTPS. I am using Strict Transport Security to prevent SSL stripping attacks. The certificate is a full business validation certificate, even though many people claim that is unnecessary.