This is stupid. There are all kinds of use cases where you don't care who knows what you're looking at, or whether it is authentic.
Say I navigate to some restaurant's web page using HTTP. Even if I used HTTPS, someone spying on my traffic would know what I'm reading, if the IP address is a dedicated server for that web site only. Whether I use HTTP or HTTPS, they could infer that I'm interested in visiting the restaurant.
Secondly, I'm only interested in the opening hours. That is not classified information.
I suppose that a MITM attack could be perpetrated whereby the attackers rewrite the opening hours. I end up going to the place while it is in fact closed (and the area happens to be deserted), making me an easy target for the attackers to rob me.
Okay, okay, please deprecate HTTP; what was I thinking!
And that restaurant better get a properly signed certificate; no "self signed" junk! Moreover, I'm not going to accept it over the air the first time I visit, no siree. DNS could be redirecting me to a fake page which also has a signed certificate. I'm going to physically go the restaurant one time first, and obtain their certificate from them in person, on a flash drive, then install it in my devices. Then I'm going to pretend I was never there and don't know their opening hours, and obtain that info again using a nearly perfectly secured connection!
Or one of your browser tabs containing an HTTP-delivered page (any one, really) could arbitrarily be rewritten by the MITM to look the same at first, but carry some injected Javascript such that, a few minutes after it detects you've unfocused the page, it turns itself into a Gmail phishing site[1].
Since the SSL negotiation happens before the HTTP request, either there's only one certificate for that IP or you need to use SNI, which reveals the domain you're requesting.
You could have multiple domains in the certificate to avoid identification, but that has its own problems.
It has become so tiresome to deal with the likes of you - people who will say how they don't need or want SSL, how they don't care about privacy.
This is the techie version of "nothing to hide, nothing to fear". It's a pathetic argument and brings nothing to the table.
Just because you don't care about the NSA knowing you like McDonalds when you browse their menu, everybody else in the world shouldn't care about their government knowing they are gay (which, need I remind you, is an offense punishable by death in certain countries) when they browse an article on LGBT rights.
Because, if McDonalds doesn't need SSL for their menu, why would a writer need it for his small-audience blog?
Say I navigate to some restaurant's web page using HTTP. Even if I used HTTPS, someone spying on my traffic would know what I'm reading, if the IP address is a dedicated server for that web site only. Whether I use HTTP or HTTPS, they could infer that I'm interested in visiting the restaurant.
Secondly, I'm only interested in the opening hours. That is not classified information.
I suppose that a MITM attack could be perpetrated whereby the attackers rewrite the opening hours. I end up going to the place while it is in fact closed (and the area happens to be deserted), making me an easy target for the attackers to rob me.
Okay, okay, please deprecate HTTP; what was I thinking!
And that restaurant better get a properly signed certificate; no "self signed" junk! Moreover, I'm not going to accept it over the air the first time I visit, no siree. DNS could be redirecting me to a fake page which also has a signed certificate. I'm going to physically go the restaurant one time first, and obtain their certificate from them in person, on a flash drive, then install it in my devices. Then I'm going to pretend I was never there and don't know their opening hours, and obtain that info again using a nearly perfectly secured connection!