What is wrong with Flexible if the User Doesn't Enter Any Data?

Continuing the discussion from Facing issue 520 Error while loading my site:

So I thought I’d make a dedicated thread for this as no one seems to actually explain what is so awful and dangerous about using Flexible for SSL when the website user will not be doing anything other than browsing.

If, for example, a site just displays info (say a simple blog) and the user does not have to login or enter any info whatsoever. They just browse, read a post or 2, then leave.

What is the risk to them?

I get “it’s not encrypted” but what needs encrypting if they are not actually entering anything?

(Please be aware this is more just for my own personal curiosity than anything else and not in relation to a specific site or anything, just genuinely curious!)

If the website visitor is never going to enter any info other than browse what risk are they at with eg Flexible?

We’ve explained it, but so many people use Flexible that it’s nearly impossible to find in Search. Other than a very basic “If you think SSL is important, why aren’t you using it on your server?” I find the setting offensive. To put it in COVID terms, it’s akin to “Masks (SSL) are important. I’m (the server) not going to wear one, but I want you (the browser) to (have SSL).”

And for a real life example that shows that anybody between Cloudflare and your hosting account can completely have their way with your site:


Good read

I’m guessing Airtel never replied to the follow up questions, which in itself is very suspect!


On top of what @sdayman already summarised I have to admit I am afraid I find the whole discussion rather absurd.

Certificates have never been overly expensive but you could get them already for $10 a year. Plus there have been free options for close to two decades.

The whole thing is a non-issue and every single time it was discussed it was a pointless discussion. If you want SSL, good, get a certificate and configure your server properly. If you don’t want SSL, fair enough, set it to Off, keep your site on HTTP, and you are good as well.

Your site doesn’t need to be on SSL but it should be clear to your visitors and you should not lie to them.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.