As a security professional, I'll throw my hat into the ring here. Without HTTPS, everything, including usernames and passwords will be transmitted in clear text on your site. This also means any information you hold concerning users is also unsafe, and as a result of any of that information being leaked (particularly if you hold data that pertains to and can identify users within the EU), under the GDPR you are exposing yourself to unprecedented risk - and a €20m fine or four times the annual turnover of any parent company (whichever is greater) and if any investigating body determines you do not have even the basics of security in place (in this instance, HTTPS being one of many), then you are fair game to law suits, and heavy fines for non compliance to even the most basic of standards.
It also goes without saying that your website is open to MiTM (Man In The Middle) attacks where anyone can listen to the traffic stream, intercept it, and given that it's all going to be in the clear without a cert, can easily modify it, repackage it, and also reroute it to nefarious destinations which also places the user of your site at significant risk.
Finally, it to won't be long before all browsers will simply refuse to load sites that do not have a certificate installed and seeing as it will be so easy to inject malicious content into the site, credential theft will be the least of your concerns.
Overall, security is expected in it's basic format in today's world. As more users become aware of this, trust will wane significantly and endpoint software designed to protect users will simply deny access to your site. Google will also penalise you for not having a secure site, and in most cases, will not present your site in search results because of this.
If your site doesn't contain a certificate, then it's also extremely likely that it will be also highly vulnerable to cross site scripting attack and remote injection. Any mail services you offer on the same server will also be bouncing messages and won't be able to deliver without some form of security negotiation which is a standard over SSL, or even better, TLS.
The overall message here is that without simple security, your site, it's associated users, and their data is a sitting duck. You'll also very quickly find yourself being placed into automated blacklists and it'll be very difficult to have this removed when the owners of these lists (which security platforms will check against for literally every request on the internet) determine that you have no active certificate or even any service redirecting port 80 to 443.
If you still don't want to implement the 101 of security fundamentals on your site, don't be surprised if nobody here or anywhere else will trust it enough to use it.
