[derefr]

Just because the original site was simple, doesn't mean that the thing an MITM replaces it with needs to be. Sites aren't apps; sites that do little don't "install" into the browser with an intentionally-limited set of permissions, such that an attacker would then be limited in their attack by those permissions. An MITM can replace the site with basically whatever they like.

I can't find the example (it was linked on HN a few years back), but a clear demonstration of this is a case where the MITM can serve a phishing page that initially appears to be the original site you've hijacked (so the user trusts it, and leaves it alone); but later, while the page is not visible (for example, when the user switches away from that tab), the page will switch over to showing a Facebook login screen or something.

Since the website isn't a known "malicious site" (so no alert from the browser), the user probably won't bother to look at the URL bar. They'll just think they left Facebook open in a tab, and it logged them out for inactivity. So they'll "log back in."

[jk700]

And MITM is still possible for https, just a bit different with two points of interception, rather than one, see my other comment [1].

[1] https://news.ycombinator.com/item?id=24711111

EDIT: what are the downvotes for? If for disagreement, this only shows how poorly people misunderstand security of https.