i got yelled at once for saying i should be able to disable https if i want in some cases. how dare i encroach on security!!!!!!
99% of the time you don't need shit to be secure. you won't care. but i find that it's increasingly like those public cctv and security cameras you see everywhere: it's suffocating, and critically, it also kills off every alternative, old client out there.
like, great, yeah. you require tls 1.3, and the latest certs to be installed. anything that's too old to get an update now? dead. there's nothing you can do. an end user is completely unable to do anything about these issues outside of buying a new device.
you have something retro you want to get online? too bad. have fun setting up a bunch of weird proxies to get around things. you want to download old software? guess what: it's often also hosted on these sites with higher requirements. you can't download k-meleon on older systems, a browser that tries to support newer encryption protocols specifically for older shit, because... the download system requires the modern ciphers and refuses anything else.
i think the most damning thing of all is that, as much as Google is leading the charge in enforcing these, showing scary NOT SECURE!!!!!!! if you dare to use http for anything... their shit still works with it. i'm pretty sure if you dump google.com in windows 98 internet explorer, it will still dutifully load an old search page, that, critically, still works.
my take on it is just: do you need it? do you really need five layers of web security for every single operation you do? i'm not saying it all should go away; banks and other websites that take personal information shouldn't be insecure. but the vast majority of the web doesn't need this. your geocities-aesthetic page does not need the finest encryption the nsa can provide. 99.999999% of the time nobody is going to give a shit.
but the fact that it's on, with no option to ever turn it off, means that you have no option but to upgrade to the latest and greatest. if you have something old, it could still be fully working; but they swapped the locks on you, so you can't use it any more.
disclaimer
i can rant about these things precisely because i have no impact on them. nobody is going to read this and turn around to go "wow, we should turn https off entirely!" because i ranted about it some. if you show up and go "wow so you just want everyone to get MITMed and hacked forever, huh" i will kick you in the nuts or nuts-equivalent and push you down a flight of stairs.
if you do this you are showing up to the old guy with a waist-length beard holding a cardboard sign saying "OLD WAS BETTER" and trying to argue with them, and i will instead beat you with the sign. let me have my fun. you are never going to feel the impacts of my rants, because they don't exist. but you might feel what i'm ranting about.
There's an especially insidious wrinkle to this in web APIs. Many newer web APIs can only be used for documents served via a "secure context", which means served via HTTPS. Even for completely static single-file applications that never so much as make a single network request. Despite the claims on that MDN page, some browsers don't even allow these features to be used on documents opened from a local filesystem, and you can expect this to get locked down tighter over time.
Web-Decker will probably never be able to prompt the user to take a webcam photo, or access gamepads on firefox, or save a file in-place, because in addition to quite reasonable affirmative-consent-gating dialog boxes, there is this bullshit HTTPS constraint.
Secure Contexts are a very deliberate choice to ratchet applications toward HTTPS, and HTTPS is in turn a ratchet to kill old software.
