[jlarocco]

1 and 3 are due to poor end user security and won't be solved by HTTPS, and 2 and 4 are lost causes and also not solved by HTTPS.

An ISP is by definition a man in the middle, and unless the user checks certificates for every page and resource they fetch then the ISP can inject their own certs and monitor traffic if they really want to.

And most of the time national actors like the NSA will have better ways of getting the information if they need it

[roblabla]

An ISP cannot inject their own certificate. That is decided by your OS or browser vendor.

[ams6110]

An ISP could inject their own certs very easily. Send an email to customers -- here run our "tune up" app to speed up your computer. A huge portion of customers would probably do it. Bingo, new CA roots installed.

[CogitoCogito]

In that case the ISP would be inducing the user to install malware. If the ISP is willing to do that, then you should probably view them as malevolent adversaries in your security model. I don't really think that an OS can protect against this in any reasonable way if that OS allows users to update certificate stores themselves. I don't really view this as a problem with the certificate model as opposed to plain old social engineering.

In any case, I don't think "an ISP could inject their own certs very easily" is a fair characterization unless you put it on the same footing as "anyone with your email can get people to install malware easily".

[andrewaylett]

What's rather more difficult is doing that without it being noticed.

As a concrete example, Lenovo were caught.