HTTP is incomparibly less fragile than HTTPS which is why HTTP+HTTPS is such a great solution for websites made by human persons for human persons. Lets be clear, corporate or institutional persons using HTTPS alone is fine and reasonable. But for human use cases HTTP+HTTPS gets you the best of both worlds. No HTTPS cert system ever survives longer than a few years without human input/maintainence. There's just too much changing and too much complexity. From the software of the user to the software of the webserver.
Which is to say, HTTP is not some "ancient" tech like an analog television. It is a modern technology used today doing things that HTTPS can't.
tryauuum•1h ago
I'd rather have some expired cert than http
I saw once my ISP injecting javascript ads into http traffic and the horror is with me forever
miladyincontrol•24m ago
Agree strongly. An expired cert is better than no cert.
Also would argue maintenance is only as complicated as you make it for yourself. Countless people keep patched, secure, https web servers running with minimal effort. If its somehow effort, introspect some on why you are somehow making so much work for yourself.
superkuh•13m ago
Might be a bit of each of us touching different ends of the elephant. To be clear I am talking about long timespans. Lets Encrypt hasn't even existed for a full decade yet. During that time it's dropped support entirely for the original acme protocol. During that time it's root certs have expired at least twice (only those I remember where it caused issues in older software). Saying that there's no trouble with HTTPS must be coming from experiences on short timescales (ie, a few years).
I know and visit many people's personal static html sites that have been around pretty much untouched and unmaintained since the 90s and early 2000s. That's completely infeasible with CA HTTPS-only. It won't be too many more years before Chrome Safari and Firefox stop allowing users to click through CA TLS cert warnings/failures. HTTP/3 the UDP protocol doesn't even allow* connecting to a remote site unless there's a CA signed cert.
(*you could compile the HTTP/3 libs yourself with the special flags to enable this (only a couple allow it) and link them in to your browser as you compile it. But as someone hosting a personal webserver 99.999% of the people out there are not going to be doing this and will be unable to visit a non CA TLS site on HTTP/3).
tryauuum•1h ago
sexy
paulnpace•20m ago
Not very useful when most of the pages are default web server pages.
superkuh•1h ago
Which is to say, HTTP is not some "ancient" tech like an analog television. It is a modern technology used today doing things that HTTPS can't.
tryauuum•1h ago
I saw once my ISP injecting javascript ads into http traffic and the horror is with me forever
miladyincontrol•24m ago
Also would argue maintenance is only as complicated as you make it for yourself. Countless people keep patched, secure, https web servers running with minimal effort. If its somehow effort, introspect some on why you are somehow making so much work for yourself.
superkuh•13m ago
I know and visit many people's personal static html sites that have been around pretty much untouched and unmaintained since the 90s and early 2000s. That's completely infeasible with CA HTTPS-only. It won't be too many more years before Chrome Safari and Firefox stop allowing users to click through CA TLS cert warnings/failures. HTTP/3 the UDP protocol doesn't even allow* connecting to a remote site unless there's a CA signed cert.
(*you could compile the HTTP/3 libs yourself with the special flags to enable this (only a couple allow it) and link them in to your browser as you compile it. But as someone hosting a personal webserver 99.999% of the people out there are not going to be doing this and will be unable to visit a non CA TLS site on HTTP/3).