Ugh. Really?
If you have a domain, and an internet facing web server, there's no reason not to have a cert installed, and mandate HTTPS.
The apps I'm writing now all mandate SSL. It's really annoying to the sys ops.
The main reason is that you have to pay for a Cert that will be accepted by default by most browsers.
I can self-sign certs, but that will not 'just work' with most browsers, since I've not paid the DaneGeld to be one of the Chosen Few root CAs who the OS/browser accepts.
Basically, the OS and Browser are making the trust decisions for most users.
And the trust they give is proportional to the money the root CA is prepared to pay to be on the built-in root CA whitelist.
Yes, I do know about Let's Encrypt.
But at the end of the day, HTTPS requires you to trust the cert offered, and that's not a user choice in 99.999% of cases. The trust is built-in and managed by the OS vendor for most people.
Is my self-signed cert any less trustworthy?
I don't think so, but it's made difficult for end-users to understand that.