| ▲ | himata4113 5 hours ago | |||||||||||||||||||||||||||||||
I think you would have a better argument if you said something like: "I don't want my ISP knowing about the content I read" or something along those lines. MITM for a text download is like saying we have to have https for dns (yes DoH exists now), but the point still stands. You aren't sending any sensitive data to the website, MITM is unlikely. | ||||||||||||||||||||||||||||||||
| ▲ | brewmarche 5 hours ago | parent | next [-] | |||||||||||||||||||||||||||||||
Without HTTPS someone could alter the content, spread false information, inject ads, malware, and other stuff, redirect to some other site, … (This is a general remark, but it goes for a blog post like this as well.) | ||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||
| ▲ | OkayPhysicist 3 hours ago | parent | prev [-] | |||||||||||||||||||||||||||||||
Without HTTPS, every link in the chain between me and your website is a potential attack vector. Maybe I trust my ISP, but do I trust my buddy's cheapo router? What about the shadowy cabal that offers airport wifi? With static webpages, the concern isn't someone snooping in on what I'm reading. It's someone injecting content, probably malware, into the page. Let's say I have a zero-click exploit for Chrome. What can I do with it? If I just stick it on a page I control, best I can hope for is spamming it all over the web and hoping someone clicks on it. Probably not a lot of impact before it gets patched. If instead, I can wait until some router firmware gets pwned, or an ISP, I can do a mass attack where I make all the vulnerable routers inject my exploit into all non-HTTPS web requests. Much greater exposure. | ||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||