[Diederich]

https is about two big things in my mind.

The obvious one is that it makes your traffic hard or impossible to sniff.

What's often overlooked is that it also makes your session highly resistant to tampering by 3rd parties. These parties include:

1. Anybody who might have access to your home WIFI network.

2. Your Internet Service Provider. There's been plenty of documented cases where ISPs have injected 'harmless' HTML.

3. Any number of bad actors if you're using any kind of public WIFI.

4. National actors. That's the NSA in the United States, where we have clear evidence that they have been capable of intercepting unsecured connections and injecting unreleased attacks into targeted computers.

This is not tinfoil hat stuff.

The benefit of https is undeniably greater than the cost.

I'm not crazy about how Google throws their weight around in a lot of cases either. But in this case, I think they're doing the right thing.

[IncRnd]

> https is about two big things in my mind.

Three things not two. Confidentiality, Integrity, and Authentication.

[jlarocco]

1 and 3 are due to poor end user security and won't be solved by HTTPS, and 2 and 4 are lost causes and also not solved by HTTPS.

An ISP is by definition a man in the middle, and unless the user checks certificates for every page and resource they fetch then the ISP can inject their own certs and monitor traffic if they really want to.

And most of the time national actors like the NSA will have better ways of getting the information if they need it

[roblabla]

An ISP cannot inject their own certificate. That is decided by your OS or browser vendor.

[ams6110]

An ISP could inject their own certs very easily. Send an email to customers -- here run our "tune up" app to speed up your computer. A huge portion of customers would probably do it. Bingo, new CA roots installed.

[CogitoCogito]

In that case the ISP would be inducing the user to install malware. If the ISP is willing to do that, then you should probably view them as malevolent adversaries in your security model. I don't really think that an OS can protect against this in any reasonable way if that OS allows users to update certificate stores themselves. I don't really view this as a problem with the certificate model as opposed to plain old social engineering.

In any case, I don't think "an ISP could inject their own certs very easily" is a fair characterization unless you put it on the same footing as "anyone with your email can get people to install malware easily".

[andrewaylett]

What's rather more difficult is doing that without it being noticed.

As a concrete example, Lenovo were caught.