[kibwen]

Recently there was a browser zero-day observed in the wild that operated by MITM'ing HTTP connections and injecting the payload into the response. You're thinking of HTTPS as protecting what information you send, but it also protects what you receive; with an HTTP connection, anyone in the middle can make your browser receive anything they want.

[upofadown]

When things have gotten so bad that all you need to do to own a browser is to connect to it the last desperate measure is to try to keep all the badness away.