No offence but as an "expert" there is no excuse to run a webpage/blog etc. with no https.
With Vercel, Netlify and many others offering free stating hosting and let's encrypt https certificate there is no excuse to run a site without an SSL certificate.
To me the moral of the story and that you should never ever follow instructions by an alleged bank calling you asking to confirm informations and, even worse, give them codes over the phone. Especially if you are an "expert".
The most unbelievable part is falling for the idea that if you had called back your whole account would be on hold. That was such a smoke bomb that was easily detectable.
If this seemed plausible as your dislike your bank and don't like the service why not take your business elsewhere?
From your own story, if anything, Wells Fargo prevented this from becoming a much bigger problem and acted very promptly to your request.
HTTPS provides essentially no security to a broad spectrum of attacks-- particularly, any attacker that can position himself between the webserver or name server and any CA is largely unaffected by https. Only attackers that are limited to intercepting between the webserver and end client are meaningfully thwarted. It isn't magical pixie dust. It doesn't appear that this page provides any information or service that would be meaningfully protected by https.
The most important reason to have it is to avoid the automatic search engine downraking that google now applies to non-https sites (helpfully elevating all manner of spam and scams over decades of technical documentation).
> To me the moral of the story and that you should never ever follow instructions by an alleged bank calling you asking to confirm informations and, even worse, give them codes over the phone.
Unfortunately, as pointed out by many others in this thread many banks engage in and even sometimes require you to comply with scam indistinguishable behavior, making your maxim hard to follow. Even ignoring that, everyone makes mistakes, gets distracted, or has bad days... this makes security very hard, even for experts.
HTTPS is when you ask 200 companies if either of them know the key for your bank. And they are all run by charlatan boomers who think buying more firewalls and cool security products is equivalent to securing their private cert signing keys. Why on earth would I ever want this? Like hello, have you ever seen ultracorporate tech company culture? They really don't know what they're doing. Why would you trust them let alone trust 200 of them in a way such that even if one of them messes up, all your sites are compromised?
Imagine that domain names contained the public key in them. I Google up "mybank", and it gives me https://8c789ad256afa4ca93f1af6436e7adff51cdd1c380de7d7cc78b...
This takes <1000 lines of code to implement and already stops the only thing that HTTPS stops: a noob MITM positioned attacker who can't break into CAs. The MITM can't change the Google results, because you already came from https://a4244aa43ddd6e3ef9e64bb80f4ee952f68232aa008d3da9c78e..., which you somehow obtained before the MITM happened.
With Vercel, Netlify and many others offering free stating hosting and let's encrypt https certificate there is no excuse to run a site without an SSL certificate.
To me the moral of the story and that you should never ever follow instructions by an alleged bank calling you asking to confirm informations and, even worse, give them codes over the phone. Especially if you are an "expert".
The most unbelievable part is falling for the idea that if you had called back your whole account would be on hold. That was such a smoke bomb that was easily detectable.
If this seemed plausible as your dislike your bank and don't like the service why not take your business elsewhere?
From your own story, if anything, Wells Fargo prevented this from becoming a much bigger problem and acted very promptly to your request.