Honest question: is jumping through all the hoops to enable HTTPS really worth it for a personal static website? Are hijackings really that common? It seems like a lot of hassle for negligible benefits... plus it's not just a one-time thing, the best practices seem to change every few months and not following them can result in "very bad things". It's a heck of a lot easier to just run HTTP.
The first site you ever set up will take you 2-3 hours of screwing around. The next will take you about 20 minutes. After that, it'll take you 5-10 minutes per site. If you decide to go with CloudFlare, it'll take a different amount of time because you'll be setting up DNS through them as well.
It is worth it. Here's why: nobody is going to target your 10-visitors-per-month site directly. You are right, most people don't care. However, there are two types of attacks that will get you in trouble. First, where I decide to sit in a coffee shop and simply hijack every HTTP request. In this case, I am not targeting you directly, but you are susceptible. Even if you don't care about that (say, you know that none of your readers are coffee drinkers/public Wi-Fi users), a much worse situation is where a network attacker is able to attach a large number of sites hosted with e.g. a specific provider. Let's say I discover that Digital Ocean has a vulnerability where I can spoof your IP. I would then MITM all HTTP traffic to all DO hosts, and if you happen to host with them you are screwed. Note that Google doesn't care whose fault it is: they blacklist first, ask questions never.
So in short, it takes very little time/money, it's a skill you should have if you run your own site, and it's warranty against bad things happening.
Has Google ever blacklisted a site due to an attack like that? I see the risk, I'm just trying to understand how likely it is.
When I first read your scenario about hijacking my site via public wifi, it didn't strike me as very important... but after thinking about it for a few minutes, I do see the harm. Even if it's just someone screwing with my resume, I can envision situations where it could do a lot of harm.
And you do make a good point about the Google blacklist, the consequence of a Google blacklist is very bad. Even if unlikely, that alone is probably enough reason to enable HTTPS.
I've set up HTTPS several times on the small sites that I run, and probably spent about 6 hours on the process in my lifetime. Right after heartbleed came out, I switched to HTTP only. Now maybe it's time to redo the process and get it set up again...
I've only had a site blacklisted once. My father ran a WordPress blog on shared hosting and got hacked (probably weak password or vulnerability in one of the plugins or WP itself, who knows). His site was pretty quickly blacklisted, and even after he scrubbed it, leaving just a basic index.html ("we are coming back" type thing), it stayed blacklisted for at least several days. I am sure others have more experience with this, I've just been lucky.
I believe the point OP was trying to make is "if it hurts, do it more often" [1], hence it's worth setting up HTTPS for a personal static site not due to hijackings but to practice the best practices.
I agree, but with only nginx (http only) and sshd public facing services, it's usually a very quick and easy update. Dealing with https vulnerabilities can make it a lot harder to keep up, especially when the fix is not as easy as simply upgrading the software and restarting the service.
