I worked on a project where the site uses HTTP. Initially I did a double take as using requires a login, thinking that's just wrong.
But after a bit of reflection I now think that in this specific case there's nothing bad about using http. Services are offered on a first come first serve basis to a large but closed group of valid users. Key is that there are a bunch of real world processes that follow the initial trigger with no practical way for any other party to benefit.
Sorry, but why is http a benefit here? Http has lots of downsides - like the traffic can be snooped and edited. (It is edited by many ISPs for advertising. And in countries like Australia the ISPs are required by law to log all http requests.) And of course, you can’t use http2 without tls.
With all respect: because I want to, and I expect my computer to do what I command it to do, not second-guess me. I understand the use cases for HTTPS vs. HTTP, and in some cases I deliberately want HTTP. It is not my browser's job to wag its finger at me and "correct" me.
I'm really tired of using a computer and feeling like a passenger rather than the driver.
There’s plenty of reasons to be mad at big corporations. But for now at least, Firefox still supports your right to make bad life choices on the internet.
honestly, i run into the same issue. my use case is mostly for older wifi capture portals which just dont work against https since they obviously cant mitm the user. my other use case is for development work when I want to capture the traffic with wireshark without setting up https stripping via pinned certificate myself.
You generally shouldn't. But data at rest is different from data in transit in that you are vulnerable to a MITM with data in transit. Who cares if you're saving an encrypted file or not, if you can't trust that it's the same file that you intended to access.
For signed content where confidentiality is not important, an unencrypted HTTP connection is totally fine.
Some components of Public Key Infrastructure itself use unencrypted HTTP for this very reason. See Online Certificate Status Protocol (OCSP) - a method for distributing Certificate Revocation Lists.
Many Linux distributions operate package repositories in this manner. It allows caching of packages through a variety of methods.
Generally, CDNs can distribute signed HTTP content without requiring a customer to share a private key as would normally be required by HTTPS. So long as confidentiality is not a requirement.
The IETF, Google, and Cloudflare have been developing standards for it.
Whether or not there is a benefit should be a judgement left up to the user.
There's no benefit to saving a file on a floppy disk, but if I tell my computer to copy a file to my floppy drive, I don't expect it to say "No, can't do that. You should be using a USB flash drive--they're better in all ways!"
I'm sure there's plenty of good reasons for wanting to use unencrypted HTTP, just like there's probably plenty of reasons to enjoy using floppy disks.
But I'm asking you: Why do you want to use unencrypted HTTP? Surely there must be some reason you want to do that, right? You (and others) clearly care a lot about this. I'm sure you're not an idiot. Help me understand your point of view here?
In this specific case, it's a crappy IoT device supporting only TLS 1.1. So when my browsers "helpfully" redirect me from the http:// interface to the https:// interface, they then "helpfully" refuse to work because TLS 1.1 is icky and end-of-life and browsers have decided that means "tell the user to fuck off."
At the end of the day, I worked around all of this browser helpfulness by using Firefox and re-enabling TLS 1.1 in Firefox's settings. I never actually managed to force any browser to use http:// despite trying many proposed solutions in this thread and on the web.
But all that aside, it doesn't really matter why I want to use unencrypted HTTP. I am commanding my computer to do it, and I expect it to carry out my command. My computer is a tool. It should do what I want it to do, even if that might hurt me. If I type in sudo rm -rf /usr, I expect it to do what I tell it to do. Not ask "Why do you want to do that?"
