[jefftk]

I don't think that the advice to offer non-HTTPS is good: it exposes your users to downgrade (SSL stripping) attacks. Even extremely old browsers supported HTTPS: it was added to Netscape in 1994, and Internet Explorer in 1995 (IE2). You shouldn't have to give up security for users of modern browsers in pursuit of backwards compatibility.

(It might be a bit tricky to find an HTTPS configuration that supports for both modern and extremely old browsers, but it should be possible)

[0xbadcafebee]

I don't think it's possible to use modern HTTPS with old browsers. All the old ciphers are now insecure and obsolete. Even if you supported the old ciphers, what would be the point, since they're insecure? So just provide plain HTTP.

For the majority of users, man-in-the-middle attacks (by someone other than your ISP) will never be an issue. It's mostly a theoretical problem. Your connection at home (and your laptop) is as safe as your Wifi connection. Your mobile connection is probably more secure. And there is no hacker sitting in your coffee shop waiting to p0wn your connection to Facebook or send you a 0day. HTTPS is necessary for the whole world to trust e-commerce, but saying everything has to be encrypted is ridiculous.

The most likely MitM anyone will ever experience is DNS cache poisoning, and that's pretty rare.

[Cloudef]

There's already a huge MitM between you and the server called cloudflare

[GuB-42]

The site is compatible with IE1, HTTPS would break that. Unacceptable.

And I don't believe it is possible to have an HTTPS configuration that suits both old and new browsers since new browsers regularly deprecate older versions of SSL/TLS. I think that anything less than TLS 1.2 is deprecated in many browsers now. and TLS 1.2 is from 2008, way too modern for a website focused on compatibility.

For compatibility, HTTP is your only choice, secure protocols are likely to deprecate regularly as new vulnerabilities are found and stronger protocols are made.

[forgotmypw17]

I disagree completely. Sometimes backwards compatibility is more important.

There are applications where you want maximum security (e.g. banking) and there are others where it is not only not necessary, but also a hindrance (ART, for example)

[david422]

> not only not necessary, but also a hindrance

It's always necessary. We've learned that with http connections, middlemen can inject adware or other crap into the page. https://www.infoworld.com/article/2925839/code-injection-new...

[Wowfunhappy]

Google, Apple, Microsoft, Raymond Hill, and others also have this ability, even with https, depending on your OS and browser. It all comes down to who you decide to trust.

You've made a judgement call that ISPs are inherently less trustworthy than every other party in the chain, but I don't think you should make that decision for everyone else, particularly given that you don't know what ISP they have.

[forgotmypw17]

With HTTPS connections, compatibility problems or even a clock which is set wrong can keep someone from accessing important information.

Not to mention that you are at the mercy of the SSL authorities.

[Wowfunhappy]

Is using TLS 1.0 any better than just using http?

[xdennis]

> Even extremely old browsers supported HTTPS: it was added to Netscape in 1994, and Internet Explorer in 1995 (IE2)

Last year I traveled to my parents house and booted up my old computer which I haven't used from 2014. It was using Ubuntu 12.04, I think.

I could barely browse any websites in Firefox, because of TLS issues.