[wlll]

> It's not an insecure protocol. What is insecure, in every single example I've seen in this thread and in the article, is the bad defaults of browsers executing javascript automatically. Without that terrible design choice, prioritized because of commerce and the desire to change the web of documents into a surveillance operating system, HTTP would be, and is, just fine.

OK, so what you're saying here is that HTTP is insecure as long as the browser distributors continue to do something that (you say) is insecure.

Well, I've got news for you. The browser distributors are going to continue to do this.

Also, do you really think it's within reason to expect users to examine all the Javascript that is loaded on a page looking for malicious code before clicking some sort of button to run it?