[bulatb]

That's a good point and a dirty trick, but like you said, it's why we have HSTS and preload lists. I only serve HTTPS (as best I can) because I've never had a case where something truly justified the possibility my system would betray my user. I'm sure I could contrive one, and probably there's someone somewhere who'd agree, but I would rather treat that case existing as a bug to be fixed and not a use case to support. Otherwise you get stuff like the other recent thread [0] with people proudly serving unauthenticated binaries with HTTP for no defensible reason.

Someone in a cousin comment made another, maybe better point: URLs get linked and crawled and cached and having them HTTP just normalizes something that was fine in 1995 but isn't fine in 2020.

It's always possible for someone to get proxied like you said, but it's still safer overall if ever seeing "http://" raises eyebrows. There's another front page thread [1] right now about the normalization of deviance.

[0] https://news.ycombinator.com/item?id=22136710 [1] https://news.ycombinator.com/item?id=22144330