| > everything 'insecure' you just described comes from users running code that might be injected. No, I gave 3 different examples where JavaScript is irrelevant but HTTPS is still important. * Online banking (HTTPS prevents snooping) * Software updates (HTTPS ensures you get untouched data) * Browsing a Wikipedia page about a medical condition (HTTPS prevents snooping) > There's no danger from some entity tricking some person into viewing a simple html page. That's not true. Not all browser security flaws involve JavaScript. Browser flaws aside, it's still important to prevent an attacker from modifying the page to perform a phishing attack (tricking a non-technical person into visiting faceb00k.com, and then capturing their password). Less seriously, HTTPS blocks injection of spam into your page by an ISP. HTTPS is also important to prevent profiling by unscrupulous ISPs. |