Honestly question, is there any reason why a static website should have SSL? Unless you have encrypted DNS, whoever is stealing the data will know the server you're connecting to, and therefore will have all the exact data anyways. So HTTPS is quite literally a waste, no?
Sorry for the ignorance, it's a legitimate question.
Even if the site is supposed to be static, an active attacker can still inject dynamic code into it.
In one somewhat recent example, a non-HTTPS page was modified in transit by an attacker to inject Javascript code which did a denial-of-service attack against github. Had the page used HTTPS, the attacker would not be able to inject that Javascript.
Then perhaps browsers should not execute any code from a non-HTTPS source. That would nicely cover the old static page case. Any modifications to the html would be visible to the user.
If the malicious JS is served over https, it could still be inserted into a static page served over http without the user knowing. The static page needs to be served over https to avoid tampering from MITM attacks.
The browser would obviously have to be smart enough to mark code that came from any sort of http source, even those embedded in https pages or https loaded by http pages, as non-executable. That would probably be the easiest way to do it anyway. Once we hit http, the level of trust drops and stays dropped.
Having thought about this a bit more, that would be an browser option that we could use today without any general convention. Turning on the "No script execution without https" option would break very little and would prevent more than just MITM attacks.
Among other things, they can tell you're reading wikipedia but not that you're reading about <controversial subject of the day>, and they can tell that you're browsing youtube but not able to sell data that you watch PewDiePie every day. They're also prevented from messing with the data - providing incorrect information, blocking individual pages, and inserting advertisements.
A number of web pages from better writers than me will argue why you need HTTPS. E.g. it provides integrity (so the coffee shop WiFi can't insert ads in your site), and browsers only enable some features on HTTPS sites.
It's a great question. One is protection from ISPs. Over http, they can see everything you're browsing -- the exact page and data -- whereas with https I believe they only see the top-level domain (e.g. they know you're on hacker news, but not which thread). Worse, the ISP can potentially modify pages, inject code and advertisements, etc. In the US, we know that ISPs have done these things and now sell browsing info to advertisers.
This was enough to convince me to add https to my static blog.
See it not only as encryption, but a sealed envelope that verifies the integrity of the website which could otherwise be compromised by a man in the middle, unfortunately often an ISP to insert billing reminders, ads and promotions. Perhaps more nefariously by a hacker to replace your bitcoin wallets and Paypal links with his own...
Sorry for the ignorance, it's a legitimate question.