[nc17]

"It goes without saying that all pages shown to logged-in users should be served over HTTPS"

You're not logged on to that page, it's a blog. There's nothing to gain by serving it over https.

[mentat]

"nothing to gain" has interesting intersections with domain-wide cookies when mistakes are made.

[kodablah]

"But that isn't quite enough"..."HTTPS is easy to do and servers are plenty fast these days so there's really no excuse not to use it on all your pages, so that's exactly what we do!"

Does seem a bit ironic.