> Others will have different opinions but I personally remain skeptical that TLS provides internet users with more value than it provides so-called "tech" companies ...
I think TLS can be helpful (for both sides of a communication), but the browser should not require it, and most servers also should not require it (but should allow it, if you deliberately choose to connect with TLS). HSTS is especially bad (I managed to disable it on my computer by using a hex editor so that the browser would no longer recognize the Strict-Transport-Security header).
Certificates can be helpful if you actually know which ones you specifically trust for a specific purpose (rather than being automatic), and if they will tell you information about a business (although as far as I know, Let's Encrypt does not do this and only verifies the domain name). However, sometimes if a certificate is changed or superseded, due to expiry, or change in ownership, etc, and it does not prevent the server operator from sending you malware; it only prevents spies from doing so. If a domain name is sold to someone else, that does not prevent cookies and other stuff from being sent, or from them adding malware, etc; however, it would be possible for end users to know the certificate to trust and avoid this problem (if a browser can be programmed to do this).
Client certificates could be helpful for authentication too, but this is rare with HTTPS (but it is commonly used with Gemini protocol). But, it does prevent someone who takes over the domain name from being able to use your information to log in, since a private key is required in order to use a client certificate.
Furthermore, the browser really should allow unencrypted proxies for encrypted connections, in order that if you deliberately want MITM then you do not need to encrypt and decrypt the data multiple times.
> IMO, this is analogous to the situation with Javascript. It has the potential to provide value to www users, e.g., as a language computer owners can use to extend and control a graphical browser ...
Yes, as well as other programming languages (if a browser supports it, which most don't).
(I disable JavaScripts on my computer, except for the scripts that I wrote by myself. I did write scripts to replace GitHub's UI (in much less lines of code than GitHub uses themself), and other things.)
I think TLS can be helpful (for both sides of a communication), but the browser should not require it, and most servers also should not require it (but should allow it, if you deliberately choose to connect with TLS). HSTS is especially bad (I managed to disable it on my computer by using a hex editor so that the browser would no longer recognize the Strict-Transport-Security header).
Certificates can be helpful if you actually know which ones you specifically trust for a specific purpose (rather than being automatic), and if they will tell you information about a business (although as far as I know, Let's Encrypt does not do this and only verifies the domain name). However, sometimes if a certificate is changed or superseded, due to expiry, or change in ownership, etc, and it does not prevent the server operator from sending you malware; it only prevents spies from doing so. If a domain name is sold to someone else, that does not prevent cookies and other stuff from being sent, or from them adding malware, etc; however, it would be possible for end users to know the certificate to trust and avoid this problem (if a browser can be programmed to do this).
Client certificates could be helpful for authentication too, but this is rare with HTTPS (but it is commonly used with Gemini protocol). But, it does prevent someone who takes over the domain name from being able to use your information to log in, since a private key is required in order to use a client certificate.
Furthermore, the browser really should allow unencrypted proxies for encrypted connections, in order that if you deliberately want MITM then you do not need to encrypt and decrypt the data multiple times.
> IMO, this is analogous to the situation with Javascript. It has the potential to provide value to www users, e.g., as a language computer owners can use to extend and control a graphical browser ...
Yes, as well as other programming languages (if a browser supports it, which most don't).
(I disable JavaScripts on my computer, except for the scripts that I wrote by myself. I did write scripts to replace GitHub's UI (in much less lines of code than GitHub uses themself), and other things.)