Enforced https on public sites

[Mæstro]

I wish I could voluntarily downgrade public sites to HTTP. There have been many times where a site, which I knew would not require transmitting anything sensitive, would display an expired certificate. I do not wish to add permanent exceptions to these sites in Pale Moon and do not know how to make temporary ones, so I turn away. On the other hand, the only website within the last decade I know to transmit any kind of sensitive information at all over HTTP is the all-important Neopets.

[BenFenner]

Whether a cert has a lifetime of a month, 3 months or a year makes no difference!
...
A CA response in that case should be much faster. We're talking about days, not months, here.

Seems you've been out of the loop a bit. I believe the idea of 6-day certs were all the rage a few months back.

(I'm not saying that's a good idea, mind you.)

[gepus]

I do not wish to add permanent exceptions to these sites in Pale Moon and do not know how to make temporary ones, ...

In private browsing mode exceptions won't be stored.

[Mæstro]

In private browsing mode exceptions won't be stored.

Clever, but I like to keep my browsing history. Is there a site with a failed certificate I can use to test whether such a site, when accessed, will show in my listing?

[Veit Kannegieser]

That's no excuse. There's a very, very good reason we have systems in place for cert revocation. OCSP, stapled OCSP and CRLs exist and are checked by browsers for a reason. Whether a cert has a lifetime of a month, 3 months or a year makes no difference!

Partly agree here, however the certificates can also be used for other services - postfix for me.
And OSCP is optional now, and Let's Encrypt will drop it.

[Moonchild]

And OSCP is optional now, and Let's Encrypt will drop it.

OCSP has always been optional. It's a revocation check, and failure to connect to OCSP servers is generally not fatal unless in tightly-controlled environments (which is why we have an option to enable that strictness but default not enabled).
Let's Encrypt never revokes certs so it wouldn't do anything for them anyway, so there's nothing for them to lose by dropping it...

the certificates can also be used for other services - postfix for me.

Of course, and those other applications should, if they want to maintain trust, have mechanisms to deal with revoked certificates too; whether that is infrequent CRL downloads or other ways. For the web, though, it's always been a more pressing thing, because of the much larger threat there.

The fact that trust as part of TLS has been eroded this way doesn't take away that it's essential; encryption (for the sake of encryption) doesn't matter when the biggest risk isn't that some man-in-the-middle snoops on what you communicate with a legitimate server, but rather that malicious actors can impersonate servers and have cryptographic trust. In the situation we used to have, it was clear when something wasn't secure, because of the public net being unencrypted; the protocol was a good indicator and getting a certificate was involved. The current state of affairs is that the protocol means nothing, "mainstream" browsers don't even display EV certificates as such anymore to distinguish from the lowest-threshold ones, and it's all worse than it was before while everything is supposedly "more secure" with encryption everywhere now? Sorry, but no. In the practical Internet, we're worse off than we were.