[superkuh]

>browsers can still talk HTTP/0.9 and HTTP/1.0

For now. It won't be too many years before the mega-corp browsers not only drop early HTTP support but they drop HTTP/1.1 too. They'll do this in the name of "security". And then all that Chrome based browsers will support will be their very own invented and open-washed QUIC in the form of HTTP/3 and hosting a personal website visitable by a random person will not be possible without continued permission from an incorporated entity. HTTP/3 implementations by Google so far have made it so that Chrome CANNOT establish a connection without a proper certificate authority based TLS certificate. I give this change about 3 years.

You can argue that you can always get a CA TLS cert from another entity if, say, the incredible centralization of all the personal web into LetsEncrypt somehow goes bad. True enough, but if the pressure group can pressure LE it can probably pressure $otherCA too. And frankly, having to get the continued approval of any incorporated entity to host a website is just not acceptable. LE is currently a benign overlord for good on the web. So was dot Org for many years. But if it's made valuable enough the pressure and corruption will come.

[nunez]

this is exactly what's happening and it can be concerning, but from reading the http/3 spec, i think the changes make a lot of sense.

http/3 is multiplex by default, which lends itself much better to RPC (love it or hate it), and is designed to perform much better over choppy network connections (cellular).

also there is really no good reason to not be on https these days. first, chrome uses system certificate trust stores, and OSes still ship with a healthy set of root CAs. second, LE is only popular because creating certs with literally anyone else (except the cloud providers) is expensive and a huge pain in the ass...but you can still get your own shiny cert issued by DigiCert or whomever. third, every web server has made enabling https on vhosts really easy and almost all servers run on CPUs which do hw-accelerated crypto, so performance hits are negligible these days. fourth, i would personally much rather get a SSL warning when the site I'm visiting isn't who they say they are than get a site that's modified in transit silently without me knowing.

the only thing i use http for these days are super simple local dev sites or for my dummy page for detecting captive portals.

the change that really worries me is chrome going all in on neutering adblockers through manifest v3. that feels hugely anti-consumer to me.

[superkuh]

You're missing out on the fact that the de-facto standard which is disappearing is HTTP+HTTPS. Not one or the other. Together they provide security and choice. This is what I hope we all chose to continue supporting. I am not anti-TLS. I'm not even anti-CA TLS. I just think HTTP should be an option.

The only situations where HTTP has reason to be removed entirely are government/corporate/institutional sites with a genuine risk of MITM attacks on login/etc processes. For normal websites (ie, not web applications with accounts) created by humans this makes about as much sense as wearing a bullet proof vest while on the phone; yeah, you're more secure but... it's not actually helping.

[Eupraxias]

Why is this getting downvoted? Can someone who is downvoting, or anyone, provide a reason?

Is the comment patently incorrect?

[Karrot_Kream]

Is a proof-less conspiracy statement supposed to be enjoyed and loved? It's more conspiratorial emotion than fact. These "I miss the old internet" posts come up every week or so on HN and are largely all the same conspiracies with slightly different wording and no more proof than before.

[Eupraxias]

Fair enough - I hadn't considered that the implication was it would take a conspiracy to do it.

[randac]

Welcome to hn in recent years.

The site desperately needs some form of meta moderation.. I've barely scrolled this thread and seen multiple examples already.