[frik]

> The injection is currently for non-HTTPS only, but I can easily see this situation evolving for the worse as HTTPS becomes increasingly the default.

That's my fear too. This has to be handled by other means and has to stop. If everything is HTTPS you can be sure it gets very unsecure by design, as everyone will upgrade its capabilities and inject you certs, than we would need a new more secure protocol.

Why is email still unsecure and sent in plain text? Why is there hype for HTTPS but everyone is fine with sending mail in plain text yet we have SMIME, etc and no one is using or supporting it.