Please put yourself in the shoes of someone actually operating a site. Every single issue mentioned in that post only affects end-users. Not a single issue for the operator, who has many other issues that are more urgent such as turning a profit, securing that database that got wiped last week, and writing actual content. Point being that the incentive to force https for a static site for an individual site operator is just not that great.
The sad reality is that http->https redirects are like vaccination. In some specific cases they are needed (such as login pages), but for some it's more about herd-immunity (normalizing https usage and ensuring availability). Mind you that there's a solid argument for allowing self-signed certs to allow encrypted but unauthenticated transfer. This mode allows MitM, yet does protect against the threat model of a passive eavesdropper.
"Please put yourself in the shoes of someone actually operating a site." - I run 8 sites right now and one of them is processing 10,000,000,000+ requests a month. I speak from a position of experience on this topic.
"Every single issue mentioned in that post only affects end-users. Not a single issue for the operator" - so don't care about the user and the risks we expose them to, only ourselves? This isn't really an approach I'm happy taking.
With 10B monthly requests, you speak from a position of having an operations team who spend 40+ hours a week on keeping your site secure (possibly even a dedicated security team?). Most sites do not have that luxury. If you're doing that on your own, then you're far from the average site operator that I'm referring to here. In fact, most everyone on HN is not the average site operator I'm talking about here.
My poorly communicated point is that by using extreme language like "I'm going to hack your static site" dilutes the message and makes average operators less receptive to more advice in the future. Troy does a lot of good work on reducing friction and advocacy, but sometimes he puts out more extreme content like this which makes me worry that it may have the opposite effect.
PS - Do you think the vaccine analogy works? I'd appreciate some advice on how to improve it
Yes. When you make a website your obligation is to your users. Can you imagine any other engineeting field where people were willing to say "well that's a problem for my customers and not a problem for me" and think that was okay?
The sad reality is that http->https redirects are like vaccination. In some specific cases they are needed (such as login pages), but for some it's more about herd-immunity (normalizing https usage and ensuring availability). Mind you that there's a solid argument for allowing self-signed certs to allow encrypted but unauthenticated transfer. This mode allows MitM, yet does protect against the threat model of a passive eavesdropper.