Update 2.24.16: My monitor for broken links on my site flagged my link to reputation.com as being a redirect. It looks like they have implemented TLS encryption on their homepage now, but my custom rating link still does not load over TLS. Progress.
I received an email from my property manager this week requesting that I rate the maintenance service they had recently performed. I am normally not one to take the time to fill out voluntary surveys of any kind, but for something as personal as maintenance service at our residence, I decided it was worth it. The link in the email took me to a customized reputation.com rating page. The single page survey just requested a rating out of 5 stars, a comment, my name, and my email address. I had the form all filled out and ready to submit when I noticed they were serving their site over the unencrypted HTTP. I tried to force the page to reload encrypted by manually typing the “s” in the address, but that broke the site. They wanted me to provide them with personally identifiable data in the clear in 2016. Ugh.
It is so easy to encrypt now. I have taught myself web development as a side hobby, and I have figured out how to generate certificates. Services like Let’s Encrypt and CloudFlare provide free encryption options. If your app collects any information from your visitors and it is not encrypted, you are doing both your customers and your future self a tremendous disservice. Even though an email address or name is relatively benign information, combined with other data hackers can use it for phishing attacks or just plain ’ole spam. Show respect for your customers. As a side benefit, research is now proving Google’s promise that HTTPS sites will rank higher in search results.
Stop using any website that collects any information over the unencrypted HTTP. Just stop. Be an informed enough user that you take this security measure. Would you send your phone number through snail mail on a postcard for every mail carrier to see? Whenever you fill out a form online, just be in the habit of verifying “https” is in the address bar of your browser as a fundamental prerequisite. HTTPS does not mean the website is trustworthy or even secure, and it just means that theoretically, your browser scrambles any data you type until it reaches the web server at the other end.