Comment 9 for bug 1485020

> Quite often, the reason the site operator tried to use HTTPS at all
> was that they're doing something that really does need security,
> something they would never dream of using HTTP for. So without the
> browser knowing what a site is for, letting you use misconfigured/
> vulnerable HTTPS is, on average, much riskier than letting you use
> HTTP.

FWIW, in the three years since I wrote this, the situation has changed hugely. Browser vendors have encouraged sites in general to adopt HTTPS (both by offering new abilities only to HTTPS sites, and by showing increasingly-scary UI for HTTP), and pages loaded over HTTPS worldwide have increased from 38% to 76%. <https://letsencrypt.org/stats/#percent-pageloads> So it’s no longer the case that most HTTPS sites are “something they would never dream of using HTTP for”.

So, it might now be more justified to let people override HTTPS misconfiguration/vulnerability blockages than it was before. But maybe other factors have changed too, such as the frequency of misconfiguration or the frequency of attacks.