[metafunctor]

Browsers should show a warning that a "possibly insecure legacy mode" is in use.

If browsers enforce HTTPS in a similar way, I don't see why they shouldn't enforce better security elsewhere as well.