Why is HTTPS such a big deal nowadays?

[anotheri]

For the past maybe 5 years or so I've been hearing the constant harping about "HTTPS", recently the big players like Google, web browser makers, etc want to list sites that still use HTTP has "unsafe" or somehow blacklist them.

I get what HTTPS is, I use encryption everywhere myself, SSL/TLS connections to everything, Open VPN 256, HTTPS everywhere extensions on the browser, etc..

With that said, why is it such a big deal all of a sudden, especially in the past say 5-6 years?

We got along just fine with HTTP only sending stuff in the clear for 15-20 years before HTTPS starting taking over. I had no problem using ebay, doing online shopping, banking, e-trade securities, etc in the early 2k through HTTP, no digital certs, etc. Using unencrypted coms was considered acceptable for the majority of the internets life thus, what changed all of a sudden to make this such a security vulnerability? Like it would be considered blasphemy nowadays to conduct any kind of online transaction without at least HTTP.

I'm genuinely curious about what changed. About the only thing I can think of is the prevalence of wireless networks vs wired only networks since the late 90's/early 2k vs now. The whole point of HTTPS is preventing MITM attacks, which is stupid easy nowadays over wireless networks transmitting unencrypted information (like when you don't use HTTPS) but back in the day of wired only single point internet access (your desktop at home plugged into a modem), even with stuff being sent in the clear there wasn't really anywhere to Man-In-The-Middle attack from unless you tapped into the local ISP's physical network. Then again I don't know anything, that's just my educated non-computer guy guess.

[Petermint]

With thousands of big companies and countries tracking your every visit to a Web site, HTTPS provides a little bit of privacy. All your private details are still published by Faceblab, Twit, and Tinder to anyone who has money. If you happen to not use Facebleak or Tweeker and prefer to meet humans instead of photoshopped images, HTTPS will help a tiny little bit.

[smurphos]

I'm genuinely curious about what changed. About the only thing I can think of is the prevalence of wireless networks vs wired only networks since the late 90's/early 2k vs now. The whole point of HTTPS is preventing MITM attacks, which is stupid easy nowadays over wireless networks transmitting unencrypted information (like when you don't use HTTPS) but back in the day of wired only single point internet access (your desktop at home plugged into a modem), even with stuff being sent in the clear there wasn't really anywhere to Man-In-The-Middle attack from unless you tapped into the local ISP's physical network. Then again I don't know anything, that's just my educated non-computer guy guess.

This - plus there is no control over who might sniff your data once it's left your ISP network (assuming you trust your ISP and it's staff - I wouldn't) on it's way to the destination IP. That has always been the case, but the industry has only cottoned on recently. In these days of state sponsored mass surveillance HTTP is a privacy no-no.

[rene]

I'm genuinely curious about what changed.

The internet. Its usages and usage level and resulting attempts and level of attempts by relatively serious criminals to obtain your financial and/or identity data.

While, as you concentrate on, encryption between your computer and the website is in that sense already often advisable, the authentication offered by the SSL certificate may be of even more direct importance. That is, you being assured by "the green lock icon in your address bar" that it is in fact your bank's website you see in front of you; not a spoofed version you were directed to by (email) link, or even by malicious DNS, so as to obtain your login data. It is also important said "green lock icon" gets to be the by users expected situation: it's only after a sufficient percentage of sites offer it that browsers can get serious about warning when it is not present.

So encryption good, authentication very good, expected authentication quite good. And progressively better while the internet penetrates ever deeper into lives -- and criminals ever deeper into the internet.