The threat model is malicious injection, not (some)information leakage.
> my web site has been around for 20 years, serving static files mostly containing a blurb about my service, my blog,
Your http website will be used for malicious injection, it doesn't matter how deep it is in the long tail. Are you ok with that? Can you take minimal measures to protect me, the user, from getting a malicious injection?
Regarding rogue CAs, most modern OS (Android, Windows) report back malicious chains to their mothership, quickly detecting and eliminating rogue CAs. It's not the wild west anymore.
Counter-intuitively, it is often difficult to reach low latency with "narrow bandwidth" (you mean low sampling rate), because many SDR interfaces are designed to fill full packets with data, not send tiny packets (ex: Ethernet packets). This problem goes away above 1-10Msps.
Buffers, buffers everywhere... It depends on the sampling rate and technology (USB, ethernet, direct PCI), but in general 1msec is achievable, 10microsec is not achievable.
That's why BladeRF-wiphy ( https://news.ycombinator.com/item?id=25814237 ) implements the lower level phy on FPGA - there's no way to reply
an IEEE 802.11 ACK frame within 10 microseconds of the end of the received frame, as required by the standard.
HTTPS only is a "Fail Closed" system, ie it blocks access in case of failure. This is safe for the general population.
HTTPS/HTTP mixed support is a "Fail Open" system, ie it allows (unencrypted) access in case of failure. This is unsafe for the general population, see QUANTUM (above).
HTTPS-everywhere, along with constant monitoring and reporting of certificate chains by the browser, are designed to protect against QUANTUM attacks [1], which, ~10 years ago, was being scaled to support million of simultaneous attacked devices.
> my web site has been around for 20 years, serving static files mostly containing a blurb about my service, my blog,
Your http website will be used for malicious injection, it doesn't matter how deep it is in the long tail. Are you ok with that? Can you take minimal measures to protect me, the user, from getting a malicious injection?
Regarding rogue CAs, most modern OS (Android, Windows) report back malicious chains to their mothership, quickly detecting and eliminating rogue CAs. It's not the wild west anymore.