Interesting statistics. But I remain skeptical towards this mode, in case it ever becomes the default, especially with an ominous warning page on HTTP sites. Way to gatekeep the web.
Nah, what makes you think this opt-in security mechanism, something that the EFF has spearhaded many years ago as HTTPS Everywhere, is a way to employ gatekeeping? Setting the opt-in flag implies someone does not want to visit HTTP web pages. Do you think folks would rather opt-in to this if the downgrade happened in a completely transparent way? Your point of an “ominous” warning page is interesting though, I could imagine this be at odds with the terminology of “https only”; but that name isn’t set in stone either. :)
I’d argue the browser’s big promise is to support legacy content. Browsers still support a lot of nonsense from the 1990s, like . There are no plans to abandon HTTP alltogether.
Yeah, I think it’s fine as long as it is opt-in. I’m just a bit hesitant in case it is made opt-out in the future. I’d hate for people to be scared away from non-HTTPS sites by a big browser warning.
As for defaults, I think a reasonable choice is HTTPS by default with transparent downgrade to HTTP, which seems to be the way Chrome is going, if I understand correctly.