[SnacksOnAPlane]

As long as neverssl.com still exists so I have some way to pop up the login page from captive wifi portals, I'm fine with everyone else going SSL.

However, I basically agree that if you're just hosting a blog with no user interaction, there's really no need for it. The threats (for example, somebody hijacks the request and returns different content) are minimal.

[provost]

There are ISPs that have tools to inject arbitrary code into HTTP webpages. For example, My ISP injects notification banners into my web browser sometimes.

Even if the ISP means well at the beginning, the tool can be abused (ISPs injecting tracking, or reading the tracking information so they can sell it). Attackers at coffee shops and conferences can do much worse.

[bo1024]

This is the reason I finally added SSL to my academic webpage.

[lol768]

> so I have some way to pop up the login page from captive wifi portals, I'm fine with everyone else going SSL

Isn't this the fault of those deploying the captive portal for not implementing RFC7710 and advertising a secure login URL?

[qb45]

First time I hear of RFC7710, all I see is HTTP hijacking. Does anybody support it, in particular OS vendors? I suppose some new UI or a new API for browsers would be required.

[Spivak]

Yes, but we have to work around crappy software all the time. I've used portals that only trigger on google.com

[willstrafach]

Minimal depending on location. In the USA, worst we have heard about is tracking cookies and injected notifications. In China, for example, malware injection has occurred from ISP's ad networks.

[dsfyu404ed]

> The threats (for example, somebody hijacks the request and returns different content) are minimal.

I wouldn't call injecting malware/adware/advertising minimal.

[organsnyder]

I use example.com for this purpose. I'm guessing that they'll keep listening on port 80 for quite some time.

[schindlabua]

I prefer example.org because I'm anti-capitalist and hate commerce.

[rbanffy]

I try to use `example.int` because I'm a globalist.

[jwilk]

Did you enjoy NXDOMAIN?

[tomjen3]

I thought so too, but there was one US ISP that started injecting headers.

[mijoharas]

I had such a problem trying to figure out a site I knew that didn't use ssl yesterday for this! Thanks for the tip.

[jchw]

Your users might care when malware is injected into your page.

[TheAceOfHearts]

You can use example.com as well.