> There is still risk, but this is a form of risk which is not neccessary and can be reduced.
It reduces it a little bit. But if you drop the risk of a random site being malicious by 25% that's not a very important change. The user still has to be wary. That reduction is not worth anything as drastic as blocking the site.
> We are talking about blogs that don't use https because they don't sell things. Expired certificates are out of scope of this comment thread.
I got the impression we were primarily talking about broken https. It's definitely not out of scope entirely:
"If it says the certificate for your bank is expired, you need to stop. If it says the certificate for the 10 year old public blog post that was linked by a 5 year old Reddit post as describing the solution to your problem, that should not matter, and you just want to read the non-secret contents of whatever is on that page regardless of whether the site's maintainer turned on HTTP to HTTPS redirects and then neglected to renew the certificate."
> People who care about the success of the web care because it makes the web more risky than people using mobile apps.
The main comparison here is whether a middleman injected it or the blog inserted it server-side. The level of risk is similar either way.
> The blog owner cares about the reputational hit.
If the blog hasn't been updated in ages, they probably don't.