[naf77]

HTTPS-everywhere, along with constant monitoring and reporting of certificate chains by the browser, are designed to protect against QUANTUM attacks [1], which, ~10 years ago, was being scaled to support million of simultaneous attacked devices.

It is not cargo-cult security.

[1] https://en.wikipedia.org/wiki/Tailored_Access_Operations#QUA...

[superkuh]

HTTPS Everywhere (client side option) is great. HTTPS only (server side option) is not.

[naf77]

HTTPS only is a "Fail Closed" system, ie it blocks access in case of failure. This is safe for the general population.

HTTPS/HTTP mixed support is a "Fail Open" system, ie it allows (unencrypted) access in case of failure. This is unsafe for the general population, see QUANTUM (above).

[superkuh]

You can argue for wearing a bulletproof vest at home if you're an iraqi nuclear scientist. But for most people it doesn't make sense and does more harm than good.

In the same way, HTTPs only, *requiring* a system that "fails open", is bad for the general population. HTTP+HTTPS, yes, definitely. HTTPS only, no, only for sites and contexts where the rigid security is justified.

[patmorgan23]

Yes context is key. Its ok for wikipedia to fail back to HTTP but not for bank.