[tialaramex]

> A site being on HTTP isn't necessarily insecure. That warning is inaccurate.

The actual semantics of HTTP are very surprising to humans and this is a problem.

We have a whole bunch of systems - including some that are key to making HTTPS work such as OCSP, which rely on plain HTTP but those systems know about its semantics and account for them in how they work while ordinary users do not and shouldn't be expected to learn.

HTTPS delivers much closer to the semantics people actually expect, with the remaining exception being that people are often surprised that McDonalds.phishing.example isn't necessarily anything to do with McDonalds.