Noooooooo! Why must the entire web be secure? I might run some micro news site for my local church that I update manually with (S)FTP and html files - why on earth should that connection be encrypted.
Bad security should be marked as bad. No security is not inherently bad.
An attacker could advise your trusting church-mates to download and run an application that turns out to be a virus while they believe it's from you.
A real but milder story - a customer of mine once complained about the advertising on my website being slightly offensive. I didn't have any advertising. When I investigated, it turned out the advertising was being injected by malware on his own computer. Not that HTTPS would have solved that, but I've heard of ISPs doing similar things where it would be prevented.
I disagree. No security really is as bad as broken security.
I'm guessing you think your church website isn't worth securing because it doesn't have any sensitive content. But in a world where surveillance is pervasive, that's not something you should depend on. For example, if religious discrimination were to lead to members of your church being harassed because of their viewing habits, then the argument that the content isn't sensitive doesn't seem so strong anymore.
For example, if religious discrimination were to lead to members of your church being harassed because of their viewing habits, then the argument that the content isn't sensitive doesn't seem so strong anymore.
HTTPS doesn't hide the IP or even the hostname (SNI is sent in cleartext) of the site you're connecting to, nor the IP of the client, so it'd still be trivial to determine who is visiting the church's website - just not exactly what pages on the site they've viewed. You need something more like Tor or stronger to protect against that.
As much as I'd love that (seriously, not advertising per se of course but most types of cross domain tracking), something tells me that initiative is not going to originate from the Chrome team...
Ads are first-party content, in the sense that they are under the control of whoever is serving the webpage. One would hope that if the content provider were concerned about privacy, they would not choose to serve ads that violated that privacy.
On the other hand, using HTTP would open an otherwise harmless content provider to potential ad-insertion attacks by third parties. So in that sense, HTTPS really does matter here.
Security isn't just about protecting you from eavesdropping or data theft. Its about protecting the integrity of your content. ISPs and wifi hotspots can mitm you and inject advertisements and or otherwise modify the content of your website in midstream. No security means there is no assurance that the page you are looking at is the page you intended to see. I'm sure your church doesn't want parishioners complaining about ads for porn showing up on your website just because they accessed it at a sketchy internet cafe.
And no security isn't inherently bad, but a browser warning doesn't have to be judgmental, it just has to be informative. Warning for a bad cert or a self-signed cert but not displaying any warning for an unsecured connection is misleading, as it implies an unsecured connection is more secure than a self signed cert. By warning in some cases the browser has taken responsibility for providing information about connection security, it should do the best job it can at that, and that should mean warning users that unsecured connections are unsecured.
The point here is not that any given site needs to be secure, but that by having all sites secure, the whole web is better off for it. The downside for you is that you'd need to do some extra work, but the upside is that you can enjoy a much more secure web. For everyone who doesn't have to deal with upgrading to https (which, is by very far most people who use toe web) it is only a good thing.
Bad security should be marked as bad. No security is not inherently bad.