[kstrauser]

Eh, 98.24% of all users worldwide can use TLS 1.2: https://caniuse.com/?search=tls%201.2

I'm not willing to make security exceptions to support devices from 2011. "HTTPS by default" lifts all boats: people who would MITM your users can't tell if they're reading your nice blog or a critique of their local government, and that's a good thing.

[sundarurfriend]

> Eh, 98.24% of all users worldwide can use TLS 1.2: https://caniuse.com/?search=tls%201.2

That's 98.24% of users captured by CanIUse's sources (which seems to be StatCounter). Like most things on the Internet, that's a bubble - the bubble of users who visit statcounter-infested websites, and are able to run their scripts. And the point of the original post is to think outside the bubble. Not in all cases - if you're a B2B service, or selling T-shirts with slogans on them, CanIUse is likely a good enough source to base your choices on. But if you're a government website, or providing critical Covid-19 data for example, it's irresponsible to ignore these long-tail of users who fall outside expected and easily visible patterns. There's a spectrum between these two kinds of websites, and it's worth thinking about where you fall on that and how many you're comfortable with denying access to your website.

It's a tradeoff between security and accessibility, and we should at least be thoughtful about the implications of our decisions.

[kstrauser]

That's a tough one, because the examples you gave are exactly the ones that I don't want a shady ISP or other interested party to my snooping. I'm not unsympathetic, and genuinely feel bad for the people stuck with truly ancient systems. But at some point, you have to do the analysis of whether it's better to 1) give secure communication to everyone who can have it, or 2) retain insecure communications to support an ever-shrinking pool of people who can't/won't upgrade. I think we're at the point where #1 is more important.

And honestly, I think a lot of people in the second group are there because they bought smartphone in 2007 and won't upgrade because "if it ain't broke, don't fix it". Well, now it's broken. Fix it.

[mtrower]

> That's a tough one, because the examples you gave are exactly the ones that I don't want a shady ISP or other interested party to my snooping.

This sounds like a personal consideration - one you're entitled to, but perhaps shouldn't force on others. Maybe consider Tor?

> ever-shrinking pool of people who can't/won't upgrade.

Are you sure about this? The kind of security you're advocating for here is a moving target. As the pool shrinks on the tail end, surely the head advances...

> Well, now it's broken. Fix it.

Erm, no. The device isn't broken, you are willfully breaking it. I can appreciate your stance, but glib comments like this aren't going to convince anyone in that camp.

[exporectomy]

They can tell what page you're looking at from the host name and request response lengths, though, right? Especially if those are the only two pages on your site.

[SulfurHexaFluri]

With DNS over HTTPS and encrypted SNI, soon the only information you will get is "They accessed a website on amazon/cloudflair"

[_-david-_]

This is not a guarantee. If you have your own public IP it is quite possible to do a reverse ip lookup and get the domain.