But if you have long tail of legacy content that you cannot yet get migrated to https, commonly due to mixed-content rules and interactions with third parties, OE provides a mechanism for an encrypted transport of http:// data. That’s a strict improvement over the cleartext alternative.

Two simple steps to configure a server for OE

Install a TLS based h2 or spdy server on a separate port. 443 is a good choice :). You can use a self-signed certificate if you like because OE is not authenticated.

I don’t get it, who is going to be able to setup an HTTP2 or SPDY server and generate a cert, but not be able to get a signed cert?