[ocdtrekkie]

Believe it or not "everyone must use https" is a pretty political push, based on favoring certain corporate entities who control all of the points in a network where https traffic gets decrypted, at the expense of other corporate entities who the first group doesn't like.

I think in most cases, sites which do not collect or handle personal information should support http, and optionally support https for those who have particular reasons to be concerned about being noticed viewing a website.

(Also, consider that many hosts still effectively charge money to encrypt your site. Usually by selling their own certs and refusing to support Let's Encrypt based renewals.)

[lmc]

> Believe it or not "everyone must use https" is a pretty political push, based on favoring certain corporate entities who control all of the points in a network where https traffic gets decrypted, at the expense of other corporate entities who the first group doesn't like.

It's really not. Ever had your ISP inject shit into your pages? https://www.infoworld.com/article/2925839/code-injection-new...

[webmaven]

> It's really not. Ever had your ISP inject shit into your pages?

This. And all the other skulduggery that MITM attacks enable.

I'm kind of surprised that none of the powers-that-be ever pushed for an HTTPS mode that merely signs requests and responses rather than encrypting them, in an effort to undermine encryption advocates.

[jan_Inkepa]

That's a good point. On the other hand, the transient nature of certs makes the hosting a lot more temporary-feeling/brittle - it may get better with time - I guess we'll see...