[mholt]

> What would be the economic incentive towards carrying out a sufficiently complex MITM attack on a blog or a newsfeed?

Gee, I don't know, imagine plastering your brand all over the NYT homepage or libelously accusing your political opponent of some heinous crime or behavior or injecting your malicious script onto millions of visitors' machines.

> There's no MITM required for this.

Um, local scripts injecting ads are still MITM by definition.

> TLS wouldn't fix this in any way as far as I am aware.

Yes it would. That's why pesky "antivirus" software MITMs TLS connections on your local computer.

[ashray]

The context of this discussion is smaller publishers/bloggers/etc. If you see the grandparent post it's clear that industry leaders will not find it technically challenging to get on board with both TLS and HTTP/2. The question I asked about economic incentive is not in the context of the NYT homepage but thank you for the unnecessary snark.

A local script injecting an ad is not the same kind of MITM attack and is no way mitigated by enabling TLS.

The discussion here is not about whether encryption is bad. My aim was to ask about whether no encryption = no HTTP/2 for you and why this is the case. I understand that the technical reason at the protocol level is because of obsolete proxies often sitting on port 80 and also the protocol negotiation that needs to take place.