[fmpwizard]

> generally is because they chose to use unsafe public access points

It sounds like you are penalizing users for not using a vpn or some other method when out of their homes. Yes, people can do that, but in 2018 having https on the sites you manage is a lot easier than asking every possible visitor to use a vpn. I hope you would reconsider and enable https on all the sites you are an admin.

> If your ISP is MITMing you, I think you have bigger problems then whether they change the content of my static site when you visit it. If they were, they could potentially target your initial download of your browser and downgrade to http to infect your browser so that you never realize after that that https is faked out...

They could, and maybe in countries other than the US you have plenty of ISP choices, but in many places in the US, you are stuck with just one ISP.

And so far, we know that ISPs are manipulating http traffic but so far they haven't gone all the way to give you an infected browser. Again, it is possible, but I think that a better approach is if we all do as much as we can to help each other, the internet could be a better place.

[Jach]

It's all good to point this out, but it's a social argument, not a technical one. If the technical arguments have been eliminated (e.g. you have no technical use for encrypting the connection) then you're left with "Join us in giving the finger to ISPs/cafe routers that inject foreign JS!" Don't be upset when people say "Meh. Take it up with those ISPs directly, or with web browser vendors, I don't care and don't want to join your crusade." At some point web browsers will stop serving content over HTTP unless perhaps with a custom flag turned on, and even then, some people will still not use HTTPS.