Let's Encrypt allows one to get a SSL cert in the time it takes to make a cup of coffee. Not to mention the SEO benefits, so it seems a bit odd that PG hasn't got a SSL cert for his blog.
I see a couple of replies saying something like "plain HTTP [still] works fine."<p>Sure, it works in the sense that most of the time the page will load as expected, but it's not safe or reliable. I don't want our standard for technology to be that it "works" for some shoddy definition of works - I want it to be safe and reliable. Plain HTTP is neither safe nor reliable.<p>Even if you don't care about the privacy benefits of HTTPS, plain HTTP can be modified. This means that when you load an HTTP page you cannot be confident that what you're seeing is what the server sent. The content could have been manipulated, ads or malicious script could have been inserted. This has been exploited in real world attacks many times.<p>Sites that do not use HTTPS put their users at risk during every page load because the users are forced to load content that can be tampered with. Paul Graham (and everyone else using plain HTTP for their site) should not be putting their users at risk like this. All sites should use HTTPS.
He is a non-confirmist :-D <a href="http://paulgraham.com/conformism.html" rel="nofollow">http://paulgraham.com/conformism.html</a>