I agree. Nobody is attacked using MITM, which is the only thing HTTPS prevents. Most credential leaks are due to insufficient security at the server, not the connection.
If the connection were HTTPS they could simply block it or redirect it wherever they want to give the same message. An ISP will always be able to MITM the connection.
You can't redirect HTTPS traffic unless you have a root certificate or have the private key of the site, and blocking HTTPS traffic would make at least 68% of web traffic not work, so not a real option.
Exactly. It will show up in any modern browser with a big red "This site is not safe!" type of message if that was to happen. This is one of the reasons Google (and others) so proactively protect the certificate infrastructure so meticulously, and run efforts like https://www.certificate-transparency.org/
It's not important at all for most people. How many times have you been MITM'd? I'll tell you about me: zero. Nobody cares enough about me to do that.
You know what people get bitten by? Hacked servers where the whole website is under a phisher's control or malicious website which downloads malware to your machine or sells your data (eg, Google, Facebook).
Maybe my knowledge is lacking, so please tell me what those 4 things are that you're being so elusive about. I suspect they are also as unlikely as MITM.
I've been MITM'd numerous time in the past. I've been MITM by corporate netorks filtering my traffic. I've been MITM'd by scummy and public wifi hotspots trying to inject ads. My own domain provider once MITM'd my domain in a weird attempt to tell me my domain was expiring...
I'm not trying to protect myself from a targeted attack. I'm trying to protect myself from the enormous amount of scummy behavior in this whole industry. When I connect to my bank, I want my data to be secure not only against malicious activity, but negligence and incompetence. This is the threat model that HTTPS-Everywhere protects against.
Sure, people get bitten by viruses and phishes. But let's fix things one step at a time.
> When I connect to my bank, I want my data to be secure not only against malicious activity, but negligence and incompetence.
What bank do you use that doesn't use https already? Maybe it's time to change your bank rather than force every website in the world to switch to https.
Of course my office pushes a root certificate to all the devices and Skype for Business breaks unless you’ve trusted that certificate to handle SSL traffic.
> It's not important at all for most people. How many times have you been MITM'd? I'll tell you about me: zero.
How do you know? What is your groundless, evidence-free assertion worth to you?
> Nobody cares enough about me to do that.
I have detected Firesheeping on coffee shop networks in the past. Guess somebody cared about all the people in there, huh?
The conflation of Google using information collected about you in aggregate to provide advertising services and man-in-the-middle attacks on clients is dishonest, disingenuous, and at this point downright malicious. Stop.
