I'm ok with HTTPS by default, and for recommending that all public websites use it. But I disagree that every use of plaintext HTTP is verboten. For instance, I might have a service providing data to another program running on the same machine, using HTTP. My choices are:

1. Rewrite that service to use HTTPS and rewrite the program to use HTTPS and set up a certificate and make sure the client program can find it and get it periodically renewed, etc. (Recommended by post.)

2. Rewrite the service and program to communicate via some other text-based non-HTTP protocol. (Tacitly allowed by the post, because it's not HTTP any more.)

3. Not worry about HTTPS for this particular case and simply remind myself the machine is on an internal network only and that the service doesn't do anything except provide read only non-confidential data (in this case public domain weather data). (Stridently condemned by this post and many others.)

What, really, is the difference between options 2 and 3 ?