[murphy1312]

yes it is. someone has to give you a certificate which the users browser accepts. even if its free today.

lets say a simple website which someone uses to display some holiday pictures. why would we need https here, if there is no login or anything like that?

it just adds an extra hurdle for not so tech-savvy users and increases the trend to abolish small private websites.

[lokedhs]

I don't know. Let's say that some non-technical family member goes to this site intending to look at vacation pictures.

Imagine if those pictures have been replaced by something else. If you can't think of a long list of replacement images that could be very useful for a spearphishing attack, then you're not having enough imagination.

This attack could also be used to get the poster of the photos in trouble.

[hsbauauvhabzb]

If my choices are to implement a security control which forces a layer of security, or forgo that security control so Alice can upload her Holiday pictures to a host which doesn’t support HTTPS either, I know which one I’ll pick. Alice should either host her photos on Instagram, or learn how to run letsencrypt.

The day where certs are no longer freely obtainable is the day another self governed free TLS provider will appear and force their way into the market by providing installers to inject CAs into system cert stores.

There’s always TOR if you disagree.

[dingaling]

> Alice should either host her photos on Instagram, or learn how to run letsencrypt.

Both leading to further centralisation of the Internet.

> by providing installers to inject CAs into system cert stores

That's already pointless on Android, user-installed CAs are ignored by default unless an app developer opts in to using them.

Once we go down this path there's no turning back to the user-centric Web of the 1990s / 2000s

[hsbauauvhabzb]

> That's already pointless on Android, user-installed CAs are ignored by default unless an app developer opts in to using them.

And? App developers should opt in to ignoring transport security. I’m sure a bunch of Android shitware attempts to install CAs either via user interaction or exploitation.

> Once we go down this path there's no turning back to the user-centric Web of the 1990s / 2000s

The landscape we live in now is very different to then. I’m all for a free web, but not at the cost of security. The web is now a multi billion trillion dollar industry. Weakening security just so Bob can see Alices’ holiday pics in situation where Alice can’t figure out letsencrypt, is frankly unhinged.

If you want a ‘free web’ you’re welcome to disable any HTTPS enforcement and disable TLS cert checking entirely. Hell, fork a browser, be very clear about the security weaknesses and publish on github if you feel that strongly, I’ll even star it for you.

[CamperBob2]

The web is now a multi billion trillion dollar industry.

Maybe your web service is, but mine isn't. Mine is a specialized embedded device server that now has an expiration date for no reason on God's green earth.

[hsbauauvhabzb]

Feel free to fork Mozilla codebases if you disagree with fundamental security concepts.

[rakoo]

As a visitor to the website, how can I be sure it's only holiday pictures ? If I get to your friendly website and it asks me for private information, and I'm willing to give it because I trust you, what tells me only you will receive it ? How do I know it's your holiday pictures, and not some scam someone else wants to trick me into ?

[CamperBob2]

Here's a novel idea: how about popping up scary warnings when an insecure site asks for information, as opposed to if the insecure site merely exists?

Static content does not need https unless there are reasons for privacy or MiTM concerns related to the nature of the content itself.

[rakoo]

But you don't know if it's the real content. There's a problem even before entering information. What tells me it's your holiday pictures and not someone else's, and a person in the middle wants to tarnish your name ? What if your ISP/your hosting provider adds ads in the page, or a MiTM adds a link to a scam site ?

[ubercow13]

Of all the parts invloved in setting up a web server, is adding a letsencrypt a significant further barrier? In what situation would a non-tech-savvy user ever be doing that in the first place?

[CamperBob2]

Hint: not all web servers run inside Facebook or Google or Amazon data centers. Some of them run inside individual devices, which will now end up in the landfill once their certificates expire. Many such devices were, and are, just fine running plain old HTTP, but now they're all going to be subject to service life limits imposed by a third-party authority.

This is not how this was supposed to work. This is not how any of this was supposed to work. But it's hard to voice any objections over the proverbial thunderous applause.

[isbvhodnvemrwvn]

I can MitM that site and add login or arbitrary content.