[plasticxme]

This is an awkward argument. One of my sites documents how to configure servers, for example. What excuse is there that something like that needs to be encrypted?

The most legitimate reason I've heard is for privacy. I don't believe the gov't is going to lock someone up for learning how to serve web pages.

[geofft]

Integrity protection. There are a lot of ways to instruct someone to configure their web server in a way that is subtly insecure, not to mention attacks like http://thejh.net/misc/website-terminal-copy-paste

It'd be slightly nice if we were able to have integrity-protected HTTP without encryption (lower overhead, easier debugging with packet dumps), but the advantages are minimal (ciphers are not really the overhead, SSLKEYLOGFILE is a thing) and it's a lot of complexity to the web platform, which is a downside for web developers like you and me: the rules for mixed content between HTTP, HTTPI, and HTTPS are going to be much more involved and confusing.

[Franciscouzo]

You can already send unecrypted authenticated data with HTTPS.

[geofft]

Via one of the NULL-cipher suites? That's a somewhat expansive definition of "can" and "HTTPS," since most if not all browsers are unwilling to negotiate any of those suites. Indeed, most SSL libraries make it hard to use those suites: for instance, OpenSSL says (`man ciphers`), "Because these offer no encryption at all and are a security risk they are disabled unless explicitly included."

Which makes sense, since they'd have the exact same problems as an explicit HTTPI protocol, just even more confusing: you'd want to not send things like secure cookies across those ciphers, you'd have to handle mixed content with actual-HTTPS carefully, etc.

[n3t]

Using HTTP instead of HTTPS allows an evil ISP injecting, for example, ads into your website or modifing its content in any way while serving it.

[lol768]

Keep in mind you're also ensuring the integrity of the document is kept and the user has (to some degree) a good idea that the document is actually from you. Confidentiality is only one aspect. I think a couple of ISPs in the US were injecting ads/content at one point into pages served over HTTP.

[lambau]

Consider Tor: in this case, your "ISP" is a random server on the internet. Maybe your Comcast or TimeWarner ISPs will not be malicious, but with Tor, any one in the world can register to be an exit node/ISP. HTTPS helps protect you from attacks in this "random ISP" model.

[krapp]

>I don't believe the gov't is going to lock someone up for learning how to serve web pages.

That's essentially the same as not locking your car doors because you feel your car isn't worth breaking into.