That's not really a solution either. You really expect your house guests or people visiting a museum or event to do a technical reconfiguring of their phone just to interact with the installation or game?
I would think that museum should be able to get a SSL cert.
But yeah, "SSL-only" kinda breaks the end-to-end principle since we have no mechanism to assign SSL certs to endpoints on demand. So it seems flawed on a conceptual level.
Most of these types of exhibits are created by art students and shown at events and happen to be run by museums. Neither the students nor anyone at the museum have any tech experience whatsoever. As the system is now it works for them. But when HTTPS is required they'll all be S.O.L.
