Whats worse is that you can enable this, then if you dont have a SSL cert installed it will warn you, but still have the configuration enabled.. and just ignored...

I can't code....., Do you have a code fix proposal for this?
I agree that it's needs to be fixed

@PhilETaylor I was checking your comment and its a bit weird. If you enabled the force option when you dont have a cert then you get the warning and you are correct the global config doesnt change. BUT after loading the front end of the site and then opening the config it has been corrected to say disabled

Following on from @conconnl 's first comment, is there any reason not to have the default to https rather than non-https as surely the majority of sites must now run on SSL. With Let's Encrypt and others available free and perfectly suitable for smaller, non-ecommerce sites, there's no reason not to have even a basic SSL certificate installed.

maybe intranet sites running under a firewall i guess

Normally you don't create a website in a public space instead many people use xmpp (or similar) for bootstrapping there sites. That means they use localhost for 127.0.0.1 as server name. You can't create an official certificate for this names, you would need to create you own certificate and allow it in the browser.

In my experience that will not be done my people setting up a website and move it later to a public webspace. Also you don't get no gain from it for localhost.

What maybe makes sense is to inform people on backend login that the site is not tls encrypted and they should find a way to do this.

But a default activation is a no go.

If a site is installed directly on a web server either by our install or the webhosts install then we can detect if the site is already running https

that's partly true because we can't guarantee that the certificate is valid for example.

But yes could be considered in the installer.

If its not valid and the site is being accessed by https then the validity of the certificate is not our issue.

This can not be done in the installer as many hosts have their own one click installer

then it's the job of the one click installer

The Joomla installer should only be the minimum necessary to get the software running, putting feature configurations into the installer is problematic because of third party software like Softaculous which do not install Joomla using the core provided interface.

If you want something done after installation, adding some kind of "after install at first login" step is your most reliable option. Otherwise, don't stuff things into the installation app that can't be relied on to always be available.

then it's the job of the one click installer

Have a little respect for the ecosystem and understand that not every Joomla user installs Joomla the same way and that Joomla doesn't have the influence to force these vendors to change how they work.

that's the reason I wrote it could be mentioned on login, the installer or if you like a post installation notice would at least make sense. But doing it automatically/default is a bad idea, that's what I wanted to say.

Normally you don't create a website in a public space instead many people use xmpp (or similar) for bootstrapping there sites. That means they use localhost for 127.0.0.1 as server name. You can't create an official certificate for this names, you would need to create you own certificate and allow it in the browser.

@HLeithner I am not sure I understand. May you elaborate on it?