[sysadm1n]

I only browse HTTPS sites. I have the `HTTPS Everywhere` addon installed with the `EASE` / Encrypt All Sites Eligible turned on so I don't accidentally browse an unencrypted website. Something like 85%/90% of the web is encrypted now, and there's no excuse to be using outdated plaintext http anymore. It's a privacy and security risk. There are only few instances where I had to view a http site (I'm a freelancer and my client's webpage was still unencrypted, so I had to see it, so a rare exception to the rule).

[freediver]

The privacy and security risk comes in large part from the nature of code and actions performed on the site.

In reality as far as privacy goes, the matters are on average opposite to your claim. Most sites that will put your privacy at risk today are using https - I am talking about the vast majority of the commercially operated web today. I know my privacy is much better respected on a plain text (no javascript) site using http then on [insert a top 10k most popular site here] using https.

And for security, if I am not performing for example shopping or entering my billing details anywhere on the site, I do not see how a http site can compromise my security.

I actually prefer deploying http sites for simple test projects where speed is imperative because they are also faster - there is no SSL handshake needed to connect.

[marginalia_nu]

It's funny because I got like 70% HTTP in my index, so the whole "90% of the web is encrypted" seems to depend on which sample you are looking at. Google doesn't index HTTP at all, so that's not a good place to go looking for what's the most popular. That's in fact half the reason why I built this search engine in the first place, because they demand things of websites that some websites simply can't or wont comply with.

A lot of servers still use HTTP, for various reasons. There are also some clients that can't use HTTPS.

[stjohnswarts]

I think there are absolute numbers and then there are "the sites most people visit regularly" and those probably are 75% https. It's relative like most things.

[marginalia_nu]

Absolute numbers are pretty hard to define, as is the size of the Internet.

If the same server has two domains associated with it, does it count twice? Now consider a loadbalancer that points to virtual servers on the same machine. How about subdomains?

[stjohnswarts]

It may be a privacy risk, but it's certainly not a security risk with plain old blog and static sites that have completely open data available to anyone who wants to surf to their sites.

[1vuio0pswjnm7]

HTTPS is a still privacy risk because the hostname is sent in plaintext. Perhaps you get some "URL privacy" but you get no improvment in terms of "hostname privacy". HTTP only leaks the hostname once. HTTPS leaks it twice.

This can be prevented by (a) using TLS1.3 to ensure the server certificate that is sent is encrypted and (b) taking steps to plug the SNI leak; popular browsers send SNI to every website, even when it is not required.