[inglor]

HTTPS is free (with let's encrypt) and useful for privacy.

For example: No one is stopping someone from intercepting your request to your clinic and add a form asking for personal details - and then using those details to "restore password" - or simply ask for your CC number. You might not fall for it but are you as confident in all other patients?

[iso1210]

> with let's encrypt

My biggest concern as http becomes less and less acceptable is that practically the entire internet relies on lets encrypt to run.

[klodolph]

Not to run, just to keep running long-term. If Let’s Encrypt exploded you would have less than 30 days to get it running again. But that’s not such a short time.

[vandal_at_your]

Nope. https, hybrid crypto and pub->free CA's are the largest backdoor into internet traffic ever (accidentally) devised. The standardization on https for everything (including alt app protocols (dns,etc...)) is very apparently an info grab.

Sym crypto is the only answer (Schneier,DJB) people have been trumpeting this for years.

[iso1210]

If I connect to a server via https and see it's certificate, I am confident that my communication is secure between me and the server hosting that certificate.

To validate the person holding that certificate is who they claim to be, how can I do that? By either getting their certificate out of band (impractical), or trusting an intermediate.

Lets encrypt doesn't make it any easier or harder to get an invalid certificate.

Now if the server wants me to authenticate, https has that built in. I can present my own client certificate, and if it's signed by somewhere the server trusts, it knows who I am. But how would a random server authenticate who I am? I'd personally rather use certificates or ssh keys or similar than usernames and passwords, but that's too complex for the average person.

Clearly I could have lost control over the key to my certificate, or the server could have lost theirs, there's not much you can do about that, no matter what type of authentication system you use.

[logicOnly]

It's not free when you need to pay someone to update your website.

Grandma might be able to edit HTML, but "what's sudo? What's ssh? This one website says I need to pay for certs?"

[robertnn]

So what are you saying? That we should sacrifice security (as explained in sibling comments) in order to allow grandmas to create their own web pages?

[ksaj]

It all sounds ageist and misogynystic to me. I work with a few grandmas who are right there on top of the newest technologies going. One is a scientist working on a hell of a cool cloud product. Old ladies aren't the model of stupidity, as this thread might lead someone to believe.

[fenesiistvan]

Yes, exactly. Grandma should be able to easily publish. Now grandma doesn't say anything because the unnecessary complication pushed by google (https and now http3 which might be enforced a few years later. These has little to do with security and performance; mostly the google ad business has any revenue from all these complications)

[kube-system]

Grandma also pays her registrar and ICANN for the domain every year too. Free was never the price of having a website, and it's not a reasonable standard of expectation today. As is with literally anything else that needs maintenance, if you can't maintain it yourself, you have to pay someone else to maintain it.