| HN Mirror

The risk is that HTTPS is something you have to manage. Either your hosting provider auto-renews certs for you (which might cost) or you set up your own automation (which can fail, and I've seen enough properties with expired LE-issued certs to know that email reminders can be missed and certbot is not a silver bullet). That said, usually an expired cert fails open, ie users can still visit your website if they accept the scary "this is unsafe" warning. This is not an option if your website uses HSTS or is on a TLD with implicit HSTS (eg .dev), but in that case you're opting in to the responsibility of renewing your certs reliably.

The benefit is that you can be sure that nothing modifies the traffic between your server and the client, so the client sees your content without any modification.

The counter-points to the benefit are that a) the traffic can still be *blocked* by any party in the middle (eg a state-level firewall), b) that traffic can absolutely be modified if the client has accepted an alternative CA for whatever reason (legal, corporate, etc) and that CA is used to MITM the connection to your server, and c) you as a website operator don't necessarily care about the MITM situation of every client's network (ie them having a MITM is their problem, not yours).

There's another benefit that browsers restrict some JS API to only run on https pages, which matters if you wanted to use those API. https://developer.mozilla.org/en-US/docs/Web/Security/Secure...