Fortunately, I am not saying that Wikipedia should serve plain HTTP. "That which is not mandatory is forbidden" is what I am trying to avoid; I am moving toward options and choices. HTTP should be an option for people depending on what their needs are and how comfortable they feel with various threat models.
>; I am moving toward options and choices. HTTP should be an option for people depending on what their needs are and how comfortable they feel with various threat models.
That's fine and I agree with "http" sometimes being a valid choice.
I disagree with how you argued it using phrases like "sometimes a website just provides information instead of credit-cards". The "provides information" is a flawed mental model to base a decision tree on and just confuses people about why https is also important for non-credit-card data.
Your later qualifications specifying "threat models" is much better argued. Yes, my internal git web server doesn't need https and I don't want the hassle of getting LetsEncrypt certificate for it. And a toy website on my Raspberry Pi on my local private firewalled NAT'd LAN doesn't need https either.
It's not about "public information"; it's about "threats".
