[MaxBarraclough]

> It's not an insecure protocol.

It absolutely is. In what sense is HTTP anything but an insecure protocol?

HTTP does not prevent man-in-the-middle attacks or content-injection. It does not ensure you are connecting to the domain you think you're connecting to. It does not prevent snooping on transmitted data. If it did, there would have been no reason to invent HTTPS.

> Without that terrible design choice, prioritized because of commerce and the desire to change the web of documents into a surveillance operating system, HTTP would be, and is, just fine

Absolutely not. You do not get privacy without HTTPS. You do not block MITM without HTTPS.

It's obvious that HTTPS should be used for online banking and for software updates, but HTTPS should also be used for ordinary websites, to protect your privacy and to prevent content-tampering (by an unscrupulous ISP, or when using insecure Wi-Fi).

People sometimes give Wikipedia as an example of something that doesn't need HTTPS, but these people clearly haven't spent much time thinking about it. A snooping ISP should not be able to tell whether a customer has been looking up an embarrassing medical condition.

I'm reminded of a lengthy HackerNews discussion on this same topic, a month ago [0].

The only compelling arguments against HTTPS are that old smartphones used in developing countries don't support it, and that it prevents HTTP caches like Squid. Browser defaults regarding JavaScript, certainly have nothing to do with it.

[0] https://news.ycombinator.com/item?id=21912817

[superkuh]

>Absolutely not. You do not get privacy without HTTPS.

My sites do because I put all of them up as tor hidden services too.

>Browser defaults regarding JavaScript, certainly have nothing to do with it.

They do. Because everything 'insecure' you just described comes from users running code that might be injected. There's no danger from some entity tricking some person into viewing a simple html page.

[MaxBarraclough]

> everything 'insecure' you just described comes from users running code that might be injected.

No, I gave 3 different examples where JavaScript is irrelevant but HTTPS is still important.

* Online banking (HTTPS prevents snooping)

* Software updates (HTTPS ensures you get untouched data)

* Browsing a Wikipedia page about a medical condition (HTTPS prevents snooping)

> There's no danger from some entity tricking some person into viewing a simple html page.

That's not true. Not all browser security flaws involve JavaScript.

Browser flaws aside, it's still important to prevent an attacker from modifying the page to perform a phishing attack (tricking a non-technical person into visiting faceb00k.com, and then capturing their password). Less seriously, HTTPS blocks injection of spam into your page by an ISP.

HTTPS is also important to prevent profiling by unscrupulous ISPs.

[wolco]

You do realize your isp knows you visited a domain like wikipedia. The only thing private is the page content which can be gotten by visiting your request.

[MaxBarraclough]

That isn't news to me, and it does not undermine my point. Again: A snooping ISP should not be able to tell whether a customer has been looking up an embarrassing medical condition.

Someone going on Wikipedia tells you relatively little. Knowing which specific pages they've been reading, tells you a great deal more.

HTTPS goes a long way to preventing a snooping ISP from telling which page you visited. A truly committed ISP might still be able to infer it from the traffic patterns, but they'll have a much harder time than with plaintext HTTP.

[tialaramex]

With a very large property like Wikipedia it's probably unavoidable that it'll be possible to determine that you contacted Wikimedia, even just from IP addresses. If that's too much you'll need TOR.

But far from "the only thing" being page content, almost everything is "kept private" with HTTPS, the request itself including any body provided, and the response to that request.

So while "visiting your request" might well get them their own copy of the content of a particular encyclopedia page you looked at, they're stuck with not knowing what that request was.

And eSNI plus DPRIVE is the final dash to a finish where the ISP doesn't even know which Wikimedia host you visited, assuming they all share the same IP ranges. Italian Wikipedia? Simple English? Wiktionary? Wikivoyage? That's suddenly an ocean of possibilities.