When I see articles about security related topics I immediately expect them to be served over HTTPS and get frustrated when they are not.
It makes me think if HN should perhaps make a stand and either display some sort of lock icon next to secure links or make it harder for insecure links to show in the front page. Where is the right place to discuss this?
Why do you need https for text only page? Sure, somebody could do deep packet inspection, but they would not find anything they couldn't find going to the domain (that won't be hidden by https anyway) directly.
EDIT: previously incorrectly stated 'url' instead of 'domain'.
There are several reasons you want this, relating to security, privacy and “politics” (in the wider sense).
Regarding security, using HTTPS (along with the right measures on externally-hosted content) guarantees (to some extend) that what the users gets is what you meant to publish: an hostile network cannot replace the content with misinformation and cannot inject JS -- to exploit the client or not (as was done with the “Great Cannon” [0] which took down Github).
Privacy-wise, a number of countries routinely spy on their communication infrastructure, and revealing “I visited this website” is far more problematic than “I visited this Tor-related post on this website, and left this comment”.
The last reason for systematic HTTPS is “political”: if we go towards a situation where HTTPS is systematically employed, HTTP-only website will be subjected to increasing amounts of social pressure as adoption rates grow: deploying HTTPS (and preferably best-practices) on your “text-only” website pushes other websites (that might “need” it more) to deploy it too.
I don't know what is on a page until I visit it, so to make a stand myself in favor of a less insecure internet, I use HTTPS Everywhere in strict mode, which blocks HTTP. I have found that mostly I can live with it, and wish for the community (HN audience is a good part of it) to keep pushing (through a bit of pressure perhaps) towards an HTTPS only internet.
The problem with this is that it makes it very difficult to do network/isp level caching, this is especially problematic in areas where internet connectivity is slow, expensive, and limited.
Given that this is a Tor article, let's talk about it. Tor exit nodes are a super easy place to perform snooping and injection on non-encrypted requests passing through that boundary. This has been used for simple snooping as well as demonstrated cache poisoning attacks that let the snooper inject JS into later https site requests like banks to exfiltrate passwords.
That's one possibility -- to misinform or give incorrect instructions. This may be more of a risk with this type of content than your run-of-the-mill personal blog.
A more frequent one is injection of ads or tracking scripts, or 'web accelerators' that recompress images. Certain ISPs have been known to do these.
Spy on our country's citizens with deep packet inspection and put anyone on a list that reads anything related to Tor. With HTTPS, the visit of this website would seem 'innocent'.
It makes me think if HN should perhaps make a stand and either display some sort of lock icon next to secure links or make it harder for insecure links to show in the front page. Where is the right place to discuss this?