[BinaryIdiot]

> IMHO there is no reason not to have HTTPS everywhere, especially now Let's Encrypt exists

I don't want to disagree with you but I do. I most certainly agree that HTTPS must be everywhere and it's easier than ever before. Where I disagree comes with less experienced developers. I can write a quick PHP / Rails / Node / whatever web server to show some website real fast, deploy by uploading it to a shared hosting package or something fancier like elastic beanstalk, and it's done and up there. Yes it's on HTTP but it's so easy. Now you want to add HTTPS to it? It's not easy. Let's Encrypt makes some aspects of it easier but until the amount of fiction is similar to the process of deploying HTTP you'll never see HTTPS ubiquity in my opinion.

[okket]

> Now you want to add HTTPS to it? It's not easy.

Try Caddy with automatic HTTPS [0] in reverse proxy mode [1].

[0] https://caddyserver.com/docs/automatic-https

[1] https://caddyserver.com/docs/proxy

[Teichopsia]

Pardon my ignorance, but as a complete beginner how do you hook that up with a python (flask / gunicorn) app?

[okket]

Run the python process on a different port and let Caddy act as a proxy, forwarding requests from the original port to it. As described in the second (proxy) link.

[pg_is_a_butt]

i use let's encrypt on google app engine... it took less than 5 minutes. google could very easily automate it for everyone, but that removes the direct verification between domain owners and certificate authorities.

granted, you're already giving up this control when you host with any 3rd party, but the CAs are being reckless if they encourage it.