[JoshTriplett]

If you have a free plan at all, then the only reason TLS should not be a paid feature would be if you intentionally want to position the free plan as "don't take this seriously because you can't build anything production-quality on it".

[JoshTriplett]

> If you have a free plan at all, then the only reason TLS should not be a paid feature would be if you intentionally want to position the free plan as "don't take this seriously because you can't build anything production-quality on it".

I only just now noticed a rather serious typo there, making that sentence confusing. Should have said "the only reason TLS should be a paid feature", which fits with the rest of the sentence.

[nsgi]

There are ways of doing that without sacrificing security. Making TLS a paid-only feature makes no more sense than making CSRF protection a paid-only feature.

[hamandcheese]

On Heroku, TLS is enabled if you use the *.herokuapp.com domain, even on free plans.

So really they are charging you if you need a custom domain and security (i.e. Something most businesses do need and most hobbies don't).

Seems a like a reasonable and fair way to segment their market to me.

[user5994461]

That makes sense for a hosting service. A lot of them works that way. Hosting a static free blog doesn't need TLS.

[icebraining]

Considering the amount of crap ISPs have been known to inject into websites, I disagree. TLS isn't just for encryption, it also provides data integrity.

[Godel_unicode]

This is the correct answer. Use this reasoning.

[IgorPartola]

Yes it does. Stop spreading this misinformation because it is dangerous. Everything should be encrypted. I don't want people knowing that I'm reading your blog or what on it I am reading.

[Jach]

Now who's spreading misinformation? HTTPS doesn't protect the fact you're reading a blog (the IP of the server will be observed, and typically the server name through the cert itself) and while one can't prove which URLs of the server you visited one can infer based on the amount of traffic sent.

[samb1729]

There's a pretty significant difference between someone being able to tell, for example, that you visited medium.com, and that same someone being able to tell exactly which blog post you read because the whole request is unencrypted.

[LukeShu]

Beyond just the cert itself, the client will typically announce in plaintext the hostname it is seeking to talk to, as part of SNI.

[JoshTriplett]

> Hosting a static free blog doesn't need TLS.

Many kinds of static content need TLS, including protection from MITM and protection from eavesdroppers. Static doesn't mean "not sensitive". (Leaving aside the reasonable presumption today that all content is potentially sensitive.)