[jakelazaroff]

> To exploit a MiTM you need to be on the same network, this could be achieved through your local-cafe's WiFi or by compromising an internal system of a local network.

Or, say, your ISP injecting ads and tracking scripts into unencrypted pages your browser requests.

[trash_panda]

Holy, I forgot about that one! You're totally right and I'm surprised it's not one of the main arguments for this push for HTTPS.

[jakelazaroff]

IMO it's really the only compelling argument for HTTPS on sites that don't deal with traffic worth intercepting. Other than that, I agree with you re café Wi-fi, etc: the man-in-the-middle risk is so small and localized that it may as well not exist.

[greglindahl]

Not only is the coffee shop using an ISP that is likely MITMing you, insecure coffee wifi routers can be exploited at scale to MITM a lot of coffee shops at once.

[plopz]

I think thats why google has been pushing so hard for https, isps were able to do tracking just as well under http, so google wants to shut that door.