267
linuxxx
6y

New Dutch (or european?) law requiring https for any website with a contact form or higher is going into effect very soon. Were contacting customers so they can still be on time with this, this is how most convo's go:

Collegue: *explains*
Client: Im sure my security is good enough...
Collegue: i'd really recommend it, we've got free options as well!
Client: its just a secure connection, whats the big deal...
Collegue: *more arguments*
Client: I just don't see the point, security.... well.... does it really matter that much...
Collegue: Google might place you lower in the search results if you don't get a secure connection.

Client: 😢πŸ˜₯😡 uhm so what were the https options again? πŸ˜…

I hope they all die a painful death 😠

Comments
  • 38
    @Alice Staying high in the Google results? Nobody really indeed ;)
  • 38
    It's called "Client Syndrome" and is a very serious illness with a near zero chance to heal. Only extreme patience and calmness can help to lower its side effects and impact on the affected person's surrounding.
  • 3
    Hmm never heard of this law before...
  • 15
    @Codex404 GDPR? Secure connection required for pages handling sensitive data.
  • 6
    @PonySlaystation but wait, are you saying that we let mentally impaired people pay us? That's wrong on so many levels!
  • 6
    @linuxxx
    It is not GDPR.
  • 1
    @Linux AVG then? Ita definitely one of those two but I always mix them up
  • 12
    @linuxxx
    Either that or ePR.
    But, it is important to note that TLS is a must if you have a form anyway, Chrome will label all websites that is over http as insecure later this year. So that is probably an argumentent that most of your customers will accept ;)
  • 8
    People should be afraid to even access a normal website without that extra letter "S" in http, well it looks cooler :P

    Seriously now, http only websites should stop, there is LE for basic websites unless people are not willing to do anything.
  • 0
    i already use https everywhere and block all unencrypted requests
  • 5
    Surely the potential to be fined or have legal action taken should be enough of an argument? (Assuming of course that it's as serious as that, I know a lot of noise has been made about GDPR for example but I don't know about this specific law you mention - if it's a law, it must be followed...)

    And as @gitpush pointed out, there's really no excuse not to use https as any site can use it now - LetsEncrypt for free, or other certificate authorities that can be paid for.

    As for http - redirect to https and be done with it :D
  • 5
    The sad thing is one client came to me (knowing almost nothing about computers in general) and said that their website is showing as dangerous... After several hours of explaining what I need to know from them I finally found out that they are using Invision... These fuckers do not allow you to use SSL unless you pay something like $20 extra a month (for $5/mo hosting) which is fucking insane, 90% sure they use LE certificates and they charge $20 for that... Fucking assholes... I did not manage to convince the client to use different hosting because they want Invision because "the others use it too"... I just basically started ignoring that guy at that point and never wrote back to any of his messages.

    (to clarify: I made some info website and a Discord bot for this guy in the past - that's why I called him a client)
  • 0
    @linuxxx ah didn't know that was part of it. And it's a European Law
  • 0
    Everyone should be using Lets Encrypt these days for everything. I got certs for all my personal websites a while back; even wrote a little tutorial of how to do it all in Docker:

    https://penguindreams.org/blog/...
  • 0
    @linuxxx Are you talking about the General Data Protection Regulations (GDPR)?
  • 2
    @SITCHEZ no it's ePR. @Linux already explained above.
  • 1
    Not getting high in the google results == best security :^)
  • 2
    @elcore
    Why do the dutch have a different name for GDPR? Does not make Sense.
    Search for ePrivacy Regulation
  • 1
    @thesagya I haven't seen it in the morning today, but now I see it too. πŸ˜…
  • 1
    @Linux AVG it's the dutch shotcut for GDPR in the national language. AVG means there "algemene verordening gegevensbescherming"

    Here in Germany it's called "europäische Datenschutz-Grundverordnung" (short: EU-DSGVO) (we germans love crazy shortcuts for our complex lawnames).
  • 1
    @SITCHEZ
    Thanks for making that clear!
  • 0
    Your content might not be sensitive. Your admin interface is.
  • 0
    Stack Exchange mentioned in a blog that they don't require a lot of security since most of their data is open and user auth is handled by other oauth2 providers, and an https connection is an overkill for them. They did that to stay relevant. They did write about their complete migration on https and how they work with TLS and certificates etc.
  • 2
    Client logic: Google search positions >>>>> transmitting your users data securely
  • 0
    Reading all of these comments, I'm so happy that I got an ssl cert for my site. I'll do shit in seo because of the free domain but it's nice to see that any potential international viewers won't have to suffer. It really isn't that hard to ssl, and it's *free*, people!
  • 0
    @andros705
    The thing that really worries me most is the Google is financing LE
Add Comment