There is no user data on read-only sites, no need to verify, and if somebody creates a fake version, so what? It's read-only.
We've already ranted ad nauseum about the stupidity of imposing HTTPS standards on standing reference archives with no need or accommodation for user input of any kind, but here we are anyway. One size doesn't fit all, and the constant push to wipe out perfectly working legacy with zero security risk is getting a little old.
(Since TRWers are always up for a good beating on a dead horse or two...
)
It may not be quite so pointless as you think:
https://web.dev/why-https-matters/"Intruders exploit unprotected communications to trick your users into giving up sensitive information or installing malware, or to insert their own advertisements into your resources. For example, some third parties inject advertisements into websites that potentially break user experiences and create security vulnerabilities."Spectre/Meltdown were hardly that long ago, yet they did show that there never is any such thing as
zero security risk. It never is a problem, until it turns out that oh yeah, it actually really was a problem. And 'perfectly working' legacy websites is a poor reason to hold the rest of the world to perpetual security issues, just because the site owners cannot or do not want or care to keep up to date.
Regardless, it is what it is, whether we like it or not.
Ed
