I don't need HTTPS, thank you

No really!

Here's why.

"But Elly it's so cynical"

So am I.

"But eavesdropping!"

Your DNS provider already knows you've visited my site, and through DNS snooping, your ISP does too.

There is nothing here worth encrypting, when anyone can just view what's here.

If I added any way to input data, yes, I would use HTTPS. Not doing so would be a dick move. It's not perfect but it at least keeps criminals out. That said, don't use it to input anything that you wouldn't want the government to know (I'll get to that in a bit).

But there is no such way to do that. This is a static site. It never changes between users. There is no form.


I'll PGP sign anything I give a shit about. I don't need HTTPS to authenticate me.

Besides, without EV, you have no way of really knowing it's me.

"You're resisting the inevitable"

It's not so much resistance so much as "I don't give a shit." I see no reason to.

"LetsEncrypt is zero effort!"

  • No it's not, given the client they want me to use literally tries to do everything for me, when I really do not want that for anything I care about
  • I'm not giving anything that speaks a protocol designed to retrieve signed SSL certificates full access to any web server I care about; malformed certificates could compromise my web server, and if you don't think that's possible, go read the x509 spec, which is so complicated it's virtually inevitable there will be vulnerabilities
  • I'm not changing my web server to something else that does it for me for shit, what I have now works perfectly fine (well, lighttpd is getting a bit rusty but still)
  • I'm not going to manually update the certificate every 60 days
  • If I need HTTPS, which I don't, for anything actually important I will go buy a certificate. With money. From a CA that's competently run. Not one that just gives certificates to paypal.onlinemoneyexchange.space without even thinking about it.

"You could use DANE!"

I could also fuck someone using plastic wrap instead of a condom and say it's a functional method of preventing STD's. Which is basically what DANE is.

"My network injects shit into the page!"

The problem's at your end, not mine.

"Intelligence agencies/ISP's/etc tho"

Change your government. Change your ISP. You can't fix social problems with a band-aid like HTTPS. HTTPS is putting lipstick on the pig that is society. Nothing stops a government from creating, buying, or hijacking a certificate authority and issuing certificates as an oracle, eavesdropping all communications.

They are already probably doing this. Governments aren't as stupid as people assume they are. For every time we discover something fucked the government is doing, I promise there are a thousand even more fucked up things they're doing that we don't know about.

Your average end user neither knows nor cares what a certificate oracle is, nor do they know or care if a CA is slipstreamed in. Maybe they should, but they're not that smart. Welcome to reality. Not everyone is a nerd.

But what they do understand is "the government spies on us," and educating them that it doesn't have to be this way, will do way more good for society than HTTPS Everywhere ever could.

"whom.st has HTTPS!"

It's kinda broken due to mixed content warnings I'm not inclined to fix, and it's all through cloudflare, so I don't care. The purpose of cloudflare here is not for HTTPS.

"Everything you said is wrong and thus you should care"

To channel autoconf:

Checking for care... no.