https:// should be default with an option to opt-out, or at least be available even with a self signed certificate for us who want https everywhere. Sensitive data flows through this domain across every device and continent.