Let's Encrypt had an outage today, and websites started disappearing off the web, progressively. It serves 60% of websites in the world. No wonder the world noticed.
And if you think we can still deploy HTTP websites, you are wrong, because browsers:
- show any website served over HTTP as explicitly not secure in the address bar.
- limit many web APIs to "secure" contexts
- upgrade mixed-content so that HTTPS sites cannot request HTTP-only resources
- increasingly attempt HTTPS to a site first even if linked/typed as HTTP
- warn about downloads over HTTP...
Moreover, browsers will continue to phase-out the unsecure HTTP over time.
But it does not stop there. HTTP/1.1 is on the verge of extinction.
According to Cloudflare Radar, HTTP/1.1 usage is below 10%, and since HTTP/2 and HTTP/3 have TLS baked in the specifications, chances of quickly falling back to unencrypted HTTP connections are slim.
The last stab in the back are HTTP/1.1 Desync attacks joyfully popularized by James Kettle in DEFCON and Black Hat conferences.
HTTP/1.1 is dying and the decentralized nature of the web is dying with it.