Honestly I don't even think technical users would get the 'point' most of the time.
Whenever I visit a HTTP-only site, I assume the administrator is either old and does not understand how to set up SSL, or it's an unmaintained/forgotten web server that hasn't been touched in about a decade.
> When ... I assume the ...
If it's (1) obviously recent content*, and (2) something that needs little security - a city council member's blog, or recipes - then how much do you care that it's HTTP-only?
*Or just date-insensitive
That's precisely the point of HTTPS, your harmless recipe site can start spreading malware without your knowledge if you make it HTTP, as the content can be changed by anyone it passes through.
> your harmless recipe site can ...
As can every recipe site with httpS - but a vulnerable WordPress plugin, or too-easy admin password, or malvertising, or a zillion other things.
But conveniently, "all sites gotta be httpS" puts the biggest part of the blame/load on the littlest little guys - who want to make and post good, unmonetized content. But don't have an IT skill set, nor want to deal with yet more admin overhead & costs.
It really doesn't matter if a personal blog decides to serve only http as a niche protest. But you really don't want to go back to the times when most sites were http; we had:
- Massive government spying programs, people forget that Chat Control used to be the standard, everything you ever browsed, posted or said online could be monitored
- Tracking that you could not disable, where your ISP would work with publishers appending http headers to every request that uniquely identified you.
- Not only little guys, as you say, were using http, it was government sites, news sites, a huge part of the internet was unencrypted and vulnerable to mitm. As you say, yes, it's not the only attack vector but it was one of the easiest to exploit, where any random wifi access point you're connected to could steal your credentials.
> But conveniently, "all sites gotta be httpS" puts the biggest part of the blame/load on the littlest little guys - who want to make and post good, unmonetized content. But don't have an IT skill set, nor want to deal with yet more admin overhead & costs.
Sure, but if you dont have the skills to self host you are using an online service and ~100% of them will do HTTPS for you.
If you are self hosting, HTTPS can take as little as zero configuration - I use Caddy and it does it for me.