[Kaknut]

Really loved your article buy why no SSL/HTTPS? It's free afterall.

[cnst]

HTTPS is not free. It has a very significant management/maintenance and compatibility overhead, which is unavoidable by the very nature of HTTPS.

[ac29]

On the scale of a personal blog, its approximately 0 minutes per year to maintain HTTPS certificates using Lets Encrypt with something like certbot (or use Caddy, which handles it on it own).

[cnst]

Absolutely false. On the scale of a personal blog, the cost of HTTPS is enormous, but the benefit is approximately 0.

[sroussey]

Which can be automated.

[cnst]

Yes, you gotta automate a whole bunch of things if you need HTTPS, you have to update the protocols every few years, certificates as often as every few months, OpenSSL versions on a moment's notice.

Or, you could decide to just go HTTP-only for your blog, and never bother doing any of the above, never worry about any automation failing for any reason, never worry about any expired or revoked certificates, never worry about the extra compatibility issues that TLS brings. There's no benefit for HTTPS for a personal blog. It's only there to restrict the access, increase attack surface, and cause compatibility issues.