Why Your Web Site Should Also Support HTTP (Without 'Secure')
Secure is good. Secure is definitely desirable. But at what cost? Security isn't a bad word, of course not! In fact, we've all become accustomed to hearing about security breaches. We learned about the importance of security and got used to or came to assume transmissions are encrypted one form or another (usually between us and some remote server; for person-to-person communication that's not good enough).
The unavoidable tradeoffs are often forgotten and the issue neglected though. Shaming and humiliation of critical thinkers is all too common in this domain. Anything to suppress candid discussion or proper debate...
You see, on the Web, many old devices still exist that cannot handle HTTPS (we wrote a lot about this matter in the distant past), do not have the latest version and/or protocol (this probably cannot be overcome either, as there's a long chain of stale dependencies), or are wired to handle authoritative domains (or certificates) long expired, in other words deprecated. For this reason, sites which force everybody to use HTTPS have an inherent accessibility problem.
We're bringing up this issue again because it was mentioned in IRC some hours ago. In the past we insisted that everyone should use HTTP or configure the browser to trust our self-signed certificate (for HTTPS). As browsers 'evolved', however, they made it increasingly hard if not altogether impossible. So we sort of gave up, surrendering to the mess the Web had unfortunately become. Secure transmission of pages or page-related data matters when making online purchases (i.e. credit card numbers - an opportunity for fraud) and using banks (that was originally the purpose or motivation); for everything else HTTP tends to be enough. There are many reasons (at several levels) why HTTPS does very little to protect your privacy when you surf the Web, even if strictly over HTTPS (not limited to JavaScript, trackers, DNS and so on).
But let's just set the record straight.
Secure protocols are a good thing, but do not impose that stuff on people who come to your site only to read some articles. You're probably losing more than you're gaining. It's like putting a helmet on when cooking in the kitchen; sure, if might protect you (in some rare circumstances), but it can also get in the way.
If your Web site has HTTPS (by default, as increasingly common these days), then adding HTTP should not be hard. It's a lot simpler - can be done easily in a few minutes - than going the other way around. Depending on your 'webserver' software, the configuration file/s may only need a few additional lines. With a front-end interface it might be just some tickbox.
Let people with old computers, old devices (such as TVs with Internet support), and "old" (or simple) browsers regain access. Don't forget RSS readers, either. Some cannot handle edge cases. The same is true for IRC, but that's a story for another day. If we all use unencrypted E-mail (I encrypt every E-mail message that I can for over 20 years already, but both sender and recipient need to exchange keys), why can't we do the same with Web pages that we visit?
To put it a little more crudely, focus on security where it matters most. Many sites get breached/cracked (data compromised or worse) in spite of adopting HTTPS. It's better to focus on the integrity and security of the server itself rather than pseudo-security associated with packets containing freely- and publicly-available pages.
It would be totally appropriate to speak about these issues from an accessibility perspective. Because, in many ways, that's just what we're dealing with. Most disabilities aren't visible to the naked eye (it's not all stuff such as wheelchair or hearing aid, for instance) and are nevertheless something we must bear in mind to properly cater for everybody. The poor person with an old TV that cannot browse sites with the latest TLS may be just as disadvantaged (at least economically) as many others. IBM might make fun of that person (poor-shaming), but IBM is a eugenics company, not a role model for other companies to idolise and imitate. █
