[jgowdy]

I often bring this up in HTTP vs HTTPS conversations. It's not about what CAs you trust, as that's a policy decision you can make on your own devices. It's about knowing (through whatever CAs you trust), what the origin of the code you're going to execute on your device is. It's about knowing that your ISP isn't injecting extra JavaScript into your page requests. This isn't hypothetical, it's literally happening right now.

When the people injecting JavaScript are interested in exploits rather than dumb ISP value added services and notifications, it becomes more obvious that running code from untrusted sources, even if it's sandboxed, is dangerous.

[bullen]

I think you are confusing HTTP which is a protocol and the browser which is doing more than just HTTP.

I'm using HTTP securely just fine when I connect to it with my own client and my own encryption!

Servers don't use browsers.

We don't need HTTPS, we need less complexity and HTTP is just fine for transport!