[MaxBarraclough]

This topic crops up occasionally. With very few exceptions, all web content sent over the public Internet should be protected with HTTPS. The question isn't Why?, but Why haven't they bothered yet?

There are plenty of reasons to use HTTPS [0] relating to privacy, security, UI, and browser features, and there are virtually no good reasons not to. There are just 2 real exceptions I know of, neither of which apply here:

1. Using unprotected HTTP enables caching. In the context of something like an apt repo, or Steam, this could be a compelling advantage. (apt provides its own checksum-based security, and doesn't really aim for privacy.)

2. Very old smartphones might not support modern TLS. In some parts of the world this can be a real concern. Even here, HTTPS should be offered, just not required.

[0] https://news.ycombinator.com/item?id=22147858

[trabant00]

I know the general case for HTTPS. I am a system administrator. I was asking for this particular case where I for one see no need.

[MaxBarraclough]

> I for one see no need

asdffdsa mentioned plain old MITM. I listed several other applicable reasons in my linked comment:

1. It allows an unscrupulous ISP to more easily track your browsing

2. Modern browsers will rightly warn users not to trust the site. This makes the site look bad.

3. It prevents MITM injection of ads, trackers, and most importantly malware. There will always be browser exploits, so they're worth blocking.

[criddell]

To prevent things like the Great Cannon of China from performing a denial of service attack against a third party.

[asdffdsa]

mitm with an identical page but malicious links