Funny. The 'trouble' is not more than adding a single header:
Strict-Transport-Security: max-age=604800
And that is it. Your browser now prefers to use https for your web site. That was really not that much trouble, was it?
Also, https is not just for banking. I like it when people cannot see what I am doing online. Whether that is online banking, doing a google search or writing a posting on hackernews.
The reason for this is, somebody controlling the network could create a fake DNS A record for "foobar.news.ycombinator.com", and then stick this into the html of another unrelated non-https page that you go to:
<img src="http://foobar.news.ycombinator.com/">
Which then may leak the news.ycombinator.com cookie over http, as the STS would only have applied to news.ycombinator.com and not foobar.news.ycombinator.com
Strict-Transport-Security: max-age=604800
And that is it. Your browser now prefers to use https for your web site. That was really not that much trouble, was it?
Also, https is not just for banking. I like it when people cannot see what I am doing online. Whether that is online banking, doing a google search or writing a posting on hackernews.