Controverse opinion: Why do I need https when looking for the weather forcast. Https is blindly thrown on everything. If the data is public and no login or personal/sensitive data is involved why do I need https?
> If the data is public and no login or personal/sensitive data is involved why do I need https?
Do you care about if the data actually comes from your weather forecasting service and was not tampered with by a third party? Then you need https as well.
A different example: a podcasts website I've seen was served over http, and someone argued the same (data is public, no login). The page contained an IBAN for donations. That would be a valuable target to replace as an MitM.
I am not familiar with the term "proven authority", but I assume what you mean is that it is enough to prove the authenticity of the data in this case. Yes, a cryptographic signature of the pages content would be enough here, but then you would still have some kind of PKI and cryptography involved and in the end https is the best supported approach for that.
Defaulting to full https also has the advantage that you don't have to re-evaulate if you should be using https in the future, when you make some changes to the functionality or content of a website.
What happens when a site you really do need and have HTTPS on (your bank, say) has a cross-site request forgery vulnerability, and someone plops an exploit script on that non-HTTPS site you visit? With crafty enough hackers, your savings just got wired to a foreign country.
The entire internet needs to be HTTPS to protect against stupid security decisions made long ago that we can’t undo now in the name of backwards compatibility.
> The entire internet needs to be HTTPS to protect against stupid security decisions made long ago that we can’t undo now in the name of backwards compatibility.
We can undo it now, the powers that b just refuse to abandon the altar of backwards compatibility, damn the cost. (Even though the addition of a straightforward document browser with no JS and no dynamic content would seriously improve most of the internet....)
Meh, that's all such a theater. LE can ask anyone to insert an "JS exploit", especially into the government meteo service. It will then be nicely safely and securely served to you via HTTPS :) Of course, enabled specially for your IP address so that noone else gets any clue.
edit: and everyone is voluntarily mitming via cloudflare anyway..it's all such a farce
Do you care about if the data actually comes from your weather forecasting service and was not tampered with by a third party? Then you need https as well.
A different example: a podcasts website I've seen was served over http, and someone argued the same (data is public, no login). The page contained an IBAN for donations. That would be a valuable target to replace as an MitM.