This is a really good point. Usually we talk about protecting against a third party, but the far more ordinary use case is protecting against the adversary right on the other side of your router.
Maybe it is even worse when it is just few - people won't know that website creator isn't responsible for all of its content. And sometimes is hard to know who is the culprit like in https://news.ycombinator.com/item?id=12091900 .
Is there any solution other than totally killing HTTP that protects from HTTPS stripping attacks? HSTS won't protect first visit and STS preload lists can only be so large.
Vodafone is the worst. Although it's really the U.K. surveillance state that is the problem.
When I popped my SIM into my iPhone it forced me to download a configuration profile with a self-signed Vodafone cert, which means they can mitm any connection. I think this is required by the government so they can block adult websites by default? (I've also seen torrent websites also fail silently with misleading "server not found" errors)
I haven't looked into if they're doing the filtering via DNS or mitm, but I avoid the censorship by connecting to a vpn.
I have never heard of the self-signed certificate, that would be interesting to report to the Open Rights Group [1]
The filtering in the UK is by inspecting HTTP requests, so when a single image on wikipedia.org was blocked, every request to Wikipedia ended up going through each ISPs hidden proxy. [3]
According to [2], HTTPS sites aren't filtered -- but it references a page from 2004. I suspect HTTPS sites are now simply blocked outright at either DNS or IP level, but I don't have a way to verify this, and can't find any details.
I don't know why Vodaphone are doing that, but you shouldn't go around telling people that it's because of "the U.K. surveillance state" because other UK ISPs don't do that.
The "server not found" errors sound like DNS blocking, which they can do without MITM.