Lukewarm take:
When I see general* "security advice" that mentions "do not use public WiFi" or "use a VPN", I am immediately suspicious about all other advice offered.
Yes, a decade ago that was a consideration, because most sites were not using HTTPS. Credentials were flying cleartext on the wire.
Today, almost all sites use HTTPS. Doesn't mean the risk is zero, but it's way lower.
*) "general" meaning "without a very specific threat model in mind", meant for general public, etc.
Actually, downgraded that take to "lukewarm", it should really not be controversial at all these days. It's been a hot minute since LetsEncrypt changed the HTTPS landscape!
What is beyond me is that such "security advice" still gets pushed. 
Also, shout-out to @letsencrypt for dramatically changing the security landscape of the Web for the better over the years.
Rarely is there an example of a project so effective and so directly improving everyone's lives, while at the same time keeping the original engineering mindset and just Doing Stuff Right™ humbly in the background.
Next November it will have been exactly a decade since LE started. We all owe them a huge 10th birthday party.
@rysiek And other people just say this was Google enforcing TLS security with HTTPS on the web.
There are legitimate applications on the web, that don't need TLS to work, which are perfectly fine for the creative commons, e.g..
And that it's not clear why a web page requested via HTTP should be marked as insecure in the UI, if it will not receive any particularly sensitive information.
That Let's Encrypt was a heist to further enclose the open web.
It was a revelation for some, not all.
@yala @rysiek Some providers started injecting JavaScript into pages served without TLS, sometimes to display ads, sometimes to show warnings about your account.
HTTPS everywhere also killed the annoying and RFC-violating NXDOMAIN capture pages served by some providers.
Letsencrypt and HTTPS everywhere are a good thing that needed to happen to the web.
@neverpanic
Thank you for calmly explaining this further. I need to nod to the fact that the side-effects of the protocol design of HTTP do not only affect the implementations of some enthusiast environment, but the Web at large. There we must address for a quite larger diversity of possible misuse, which is well covered by HTTPS.
@yala @rysiek let me help you here: https://www.troyhunt.com/heres-why-your-static-website-needs-https/
TLDR: Because it's not all about sending sensitive data. Attackers can manipulate your site when served over HTTP. They can inject all kinds of nonsense, from animated gifs to crypto miners to requests to other websites. And these things are done in the real world at ISP levels in various countries.
So while you might don't need the encryption HTTPS provides, you probably want the authentication.
It was Jan last year that I suggested HTTPS adoption had passed the "tipping point" [https://www.troyhunt.com/https-adoption-has-reached-the-tipping-point/], that is, it had passed the moment of critical mass [https://en.wikipedia.org/wiki/The_Tipping_Point] and as I said at the time, "will very shortly become the
> They can inject all kinds of nonsense, from animated gifs to crypto miners to requests to other websites.
Not to mention actual malware:
https://citizenlab.ca/2014/08/cat-video-and-the-death-of-clear-text/
Michał "rysiek" Woźniak · 🇺🇦
jon r
Clemens
Max Harmony
Sheogorath