[rabidrat]

It's the combination of defaults that's problematic. If the site requires https, because it's e.g. a bank, then sure, require non-expired cert. But my static sites which have no auth, payment, or even subpages (path-obscuration being another of the touted benefits of https-everywhere), do not require https. Except because of the defaults Google's overzealous security team decided to inflict on the world, now I have to have a process that reaches out to LE every 3 months. For a static website which otherwise never needs updating.

[bawolff]

Well according to others on this thread, w3.org enabled HSTS - so they specificly opted into strict mode. They were not using the defaults. So that criticism does not apply here.

[DenseComet]

Https also ensures that the connection has not been tampered with by an ISP. Its quite stupid, especially considering you're paying them already, but used to be common when most of the web was http. Also, router malware has been seen injecting JS into http pages to mine crypto.

https://www.infoworld.com/article/2925839/code-injection-new...

https://www.privateinternetaccess.com/blog/comcast-still-use...

https://blog.avast.com/mikrotik-routers-targeted-by-cryptomi...

[SilverRed]

>now I have to have a process that reaches out to LE every 3 months.

This is not particularly hard. Most static hosting services even do it for you.

[nine_k]

Serve it both on ports 80 and 443.