You’re right but it’s basically a cultural legacy.

Most browsers really want to show scary warnings for HTTP connections these days. But there are enough complaints about it as a concept that they have not implemented it yet.

“Zero trust” or “BeyondCorp” security strategies are not widely deployed; a lot of organizations still use browsers over HTTP for internal apps, and don’t have a captive CA or a way to satisfy Let’s Encrypt challenges from outside the firewall. No one wants thousands of companies to train their employees to ignore cert warnings.

And there is a small but vocal set of folks who believe one should not have to satisfy a CA (even Let’s Encrypt) to put up a website.

I don't think that broken corporate policies should dictate what the public web does. If they must use split-horizon DNS (which is the worst thing ever) and can't do a DNS challenge, there are still plenty of ways to make browsers avoid warnings; every IT department can push trusted certificates to workstations and mobile devices. It's built into every device management system in the world.

If you don't manage employee devices AND can't get TLS certificates to internal applications, the employees are right to be scared by the browser's warning. You have failed as a corporate IT department.

I may be wrong, but it made sense to me:

* Visiting site with HTTP, there's no expectation of encryption / comms security. So there's no need for warning.

* Visiting site with HTTPS, there's expectation of encryption / comms security, so please let me know if it's not working as intended or there are warning signs.

That being said, I'm at the crossroads of "little knowledge is a dangerous thing". Vast majority of my friends and family would not know HTTP is not encrypted... but they also won't even bother reading an experied cert warning and will just click to proceed.

(on a broader level, working in operations has underlined to me that default user behaviour with any modal dialog, window, warning, error, is to click everything until something works. There is no reason whatsoever to read or understand WHAT was clicked, or pay it any attention later, other than remembering which thing was clicked. It's an entirely binary world of "things that when you click them don't make it work" and "things that when you click them make things work". There is literally no other useful information for most users)

Also, that most people will not remember what option they clicked as little as the instant they click it and the window goes away.

It makes sense though?

If you're browsing via HTTP there is no expectation at all that what you are doing is secure.

If you have a problem in HTTPS, you are expecting to be secure, you might not be. Hence, a warning.

It's only recently that it's become reasonable to add interstitials without annoying everyone. Firefox in HTTPS-Only mode does exactly that.

A bad certificate is a sign that something's actively wrong while (at least historically) no certificate doesn't really give a strong signal.

The problem is that those classes of wrongness are treated identically when they are emphatically not: scary, hard-to-understand-by-users warnings, if not outright inability to connect in some cases.

A cert that's a day out of its expiration time has zero implications to the confidentiality and identity of the parties to the connection. The same cannot be said about a bad CN or signature.