I used to have an ISP that would inject ads into HTTP sites. Every site needs HTTPS.

Or, your ISP does not deserve to exist.

True but you can’t build distributed systems that rely on every single actor being a good one. Hence encryption, the police, etc.

The police is a good example, instead of reinventing basal language, we instead have a body of people who enforce the law.

It’s not like ISPs are unknown entities.

What about governments? In my country they perform MITM attacks against unencrypted HTTP, while the best they can do with HTTPS is to block the site. I'd much prefer everyone enforcing HTTPS at all times.

> Many sites don’t need https.

Maybe intranet sites. Everything else absolutely should.

https://doesmysiteneedhttps.com/

Those are some of the most pedantic grasping at straws reasons I've ever read. It's like they know there's nothing wrong with http so they've had to invent worst case nightmare scenarios to make their "It's so important" reasons stick. Https is great. I use it. That website is pathetic though.

ISPs injecting ads into HTTP websites isn't a weird edge case. I've seen it happen.

And so what if my webpage about an obscure 1994 Australian rock band get a few ads injected into it? Everything else in my life gets ads injected into it (TV, Music, Movies) Such a silly argument.

The source footer ("View Page Source") summarizes it perfectly:

Sites that need HTTPS: - all of them

If you like it, you better put a lock on it.

And, BTW, the website is as delightfully simple and unobtrusive as the one in the article.

Every connection should be encrypted.

Unencrypted connections can be weaponized by things like China’s Great Canon.

this is the statement of someone who wasn't around in 2013 when the snowden leaks happened and google's datacenters got owned. everyone switched to https shortly thereafter

Didn't everyone switch to TOR shortly after? :-(

Some people use TOR, but the internet generally started using https for everything.