One may wonder - Why isn't the web secure by default? Why is https not standard and why do we even allow insecure connections over http?
Well, the simple reason is that the amazing inventors of the internet, which we now take for granted in our daily lives, did not build this into the protocol by default. Over time, SSL was created as an additional layer to encrypt transmissions from the client to server. This is crucial in keeping information secret, especially in cases such as entering in login credentials or credit card information on a website.
Do we need to encrypt everything? This is debatable. Does it matter that someone can spy on me while I browse amazon over an insecure connection while sipping on an espresso at the local Starbucks? It surely does when I get to the payment page, and enter in my sensitive credit card information. Privacy advocates will argue that even the simple nature of browsing a site should be encrypted, protected and "no one's business but their own".
So why aren't all sites encrypted today? The simple answer is cost and implementation, but mostly cost. Amazingly, a new project has emerged whose goal is to encrypt the entire internet. It's called Let's Encrypt (https://letsencrypt.org).
This service is free. For the first time, with relatively limited technical skills required, small business, website owners, or anyone hosting a website, can now easily provide their services over a secure connection.
Personally, I am now utilizing the amazing services for multiple sites, including this one (https://dags.io). Utilizing let's encrypt utilities, my sites will now automatically renew the ssl certificate every month, without any cost or human intervention needed. I currently run my services on CentOS 7 with Apache 2.4. With this configuration, I was able to write a very simple script that automatically renews my certificates, without the need to ever stop the web server.
Check out my updater here and please utilize it to secure your own sites!