You may or may not know about HTTPS, the secure, encrypted version of the normal protocol used for the web. Rather than transmitting your passwords and surfing trail around in plaintext, it’s all encrypted.

Normally, sites use it for logging in, to protect your username and password. This is great. But why don’t we use it all the time? There is some cost on both ends to encrypt the data, but surely the cost isn’t prohibitive?

For most sites, it doesn’t matter, but a recent egregious example is Gmail. They’ll use HTTPS to log you in, sure, but after that, they downgrade you to the same protocol on which you came. Which means that all your email is passed around in plaintext if you didn’t explicitly ask for encryption. You can turn on encryption by just changing the http:// to a https:// in the location bar. There’s even a greasemonkey script to force Gmail to use HTTPS. But why should you have to bother?

Another silly example is FastMail, my erstwhile mail provider. On their front page, they have two login buttons: “Secure Login” and “Login.” These buttons swap location depending on whether you access it from a https:// or a http:// address. Why would anyone want a non-secure login?

I think these sites should just force encryption. Especially since they are both email services which traffic in very sensitive information. Other sites could use it too, though. I don’t see why I wouldn’t want my shopping, searching, porn watching, or really anything at all encrypted.

For my part, I will try to use the https:// form of addresses in my links when I can, starting with this post.