General Discussion • Re: Enforced https on public sites

Some mobile ISP used to intercept http traffic and insert ads, so https might be useful even without sensitive data (at least as option), to make sure page is not modified. Other reason is some placeholder pages that ISP may enforce when internet or resouerce is blocked, it typically inserts redirect http response instead of real response. It's better to see https connection error, not redirect, that may hide original request url

I do not like HSTS and TLS version enforcing, but without that security downgrade attack is possible. It would be safe to not enforce TLS version on server if it was included in URL schema, so it would not be possible to silently downgrade protocol version. I want my servers to support SSL3, so old browsers may access https-only auth form, but enabling it would allow someone to steal auth data with TLS downgrade even on modern browser, and moreover, some exitsing browsers will warn that server is not safe