[iso1210]

https doesn't flag that.

Your browser might flag a http server as dangerous (mine doesn't - it just has a padlock with a line through), but you're leaking information to your ISP that you are reading about a Physical Therapist.

If your site tries to do https and fails (self signed or invalid certificate) it will rightly flag up that it's a problem.

My grandma would not be able to manage a server on the internet, let alone responsibly manage it. If you can't set up a modern server with https then you shouldn't be running a server on the internet at all.

[mumblemumble]

Assuming your physical therapist has their own website with its own doman, and not just, say, a Facebook page, you're leaking that information to your ISP with https, too. https doesn't hide the domain you're talking to, just the specific URLs within that domain.

[iso1210]

We have SNI. Now sure your therapist may run their own VM on it's own IP address, but that's not very likely.

[mumblemumble]

SNI doesn't encrypt the desired hostname in the payload of the initial connection. It's still plainly visible to an eavesdropper. They can also observe un-encrypted DNS lookups.

[skissane]

eSNI is going to fix that

https://tools.ietf.org/html/draft-ietf-tls-esni-07

[kube-system]

Chrome and derivatives display "! Not secure" in the omnibar, which is presumably what they are referring to.

[iso1210]

20 year ago the world thought that IE6 was synonymous with the internet

Thank god we moved on from that.