[miladyincontrol]

Agree strongly. An expired cert is better than no cert.

Also would argue maintenance is only as complicated as you make it for yourself. Countless people keep patched, secure, https web servers running with minimal effort. If its somehow effort, introspect some on why you are somehow making so much work for yourself.

[superkuh]

Might be a bit of each of us touching different ends of the elephant. To be clear I am talking about long timespans. Lets Encrypt hasn't even existed for a full decade yet. During that time it's dropped support entirely for the original acme protocol. During that time it's root certs have expired at least twice (only those I remember where it caused issues in older software). And that's ignoring the churn in acme/acme2 clients and specific OS/Distro cert choice issues and browser CA issues. Saying that there's no trouble with HTTPS must be coming from experiences on short timescales (ie, a few years).

HTTP/3 already doesn't allow anything but CA TLS only. It won't be too long before they no longer allow you to click through CA TLS warnings.

If human people want things to be on the web for long time periods those things should be served HTTP+HTTPS.

[Ferret7446]

If you can't keep your site's certs working, I don't have much faith you can keep your server working. Maintenance is required in the face of entropy

[pastage]

There is some kind of middle ground here.. My first HTML file still renders like it did on Mosaic. The HTTP server I used back then still works today 35 years later without maintenance. I do agree that HTTPS is a simple solution but there is too much cargo cult around it. Honestly I do not see the use to maintain everything published if you follow sane practices.

EDIT: I have 15 year old things at work that do not compile, you have to maintain it for sure, biggest problem is cryptography. I am not sure that unstable tech should be part of the application ever.

[hexfran]

Unless I'm misunderstanding your point, your HTTP server from 35 years ago is still working today without any maintenance? Does that mean no security patching and no updates for bugfixes? or does "no maintenance" means something else I'm missing? I find it difficult to discuss these topics when comments like these pretend that you can leave your system exposed on the internet for years without any maintenance.

If we're talking applications that don't actively listen on the internet that's fine, and I would agree that we should have complete software that just works. But a webserver, unless it's for personal/home use, it's on the internet and I don't see how it could work for 35 years without any update/change

[superkuh]

Static html webservers don't really have any need for security patching or bugfixes constantly like dynamic complex stuff. They literally can just live forever. The sites themselves are just files. Not applications.

[Ferret7446]

I hate to break it to you, but HTTP servers (what is an html server) absolutely can have all manner of fun exploits, like RCE.

[pocksuppet]

That's no use when your automated registrar stops working in 3 years because it went out of business or changed protocols. Let's Encrypt has been an outlier.