Comment by effie
3 years ago
Troy Hunt points out that HTTP traffic is sometimes MITMed in a way that clients and servers do not like, and HTTPS sometimes prevents that. I never said otherwise. I am saying for certain kinds of pages, it's not a major concern. Like for djb website.
Why not use HTTPS for everything? Because it also has costs, not just benefits.
> Because it also has costs, not just benefits.
That's not really true. Certificates have been free for a long time and every CPU made within the last 10 years has AES acceleration. You can google white papers from companies like Cloudflare and Google, which actually show speedups with HTTP 2 or 3.
There are other costs, with deployment and maintenance. Well built HTTP site works on its own until browsers intentionally stop accepting it. HTTPS site works for few months and then a new certificate needs to be obtained and deployed. This has real cost in additional risk of outages, support requests, and not the least, becoming dependent on the goodwill of the certificate issuer.