Is it a web app or just a static site? I still haven't seen a good argument for why static sites (blogs, personal sites, etc. that process no user information) should implement HTTPS.
Excluding things like zero-day exploits, the biggest problem with allowing any unencrypted traffic is cache-poisoning.
This was noticed when a Google engineer went on holiday, and stayed at a hotel with dodgy Wi-Fi that copypasted ad scripts into anything that looked like jQuery. Said engineer realized that his laptop was still getting hit with the hotel's ads for months afterwards, because it had managed to poison one of those "JavaScript CDNs" that a lot of other sites use.
This is, of course, an attack - a hotel that can get an ad script onto arbitrary sites by rewriting one unencrypted request can also add a script that, say, siphons information off of any other site it got included into.
Sounds like Chrome is finally taking steps to combat that, as the post mentions they plan to "Restrict how, and for how long, Chrome stores site content provided over insecure connections"
I use HTTPS on my blog, which is a static website with no comments, because my blog contains information that I want people to be able to trust, and so I don't want an MITM to be able to modify it.
There are a whole bunch of says that they can do that. The obvious way is that a lot of my blog is about programming, and so I have code on my blog people can copy/paste. If a MITM can modify that (perhaps by injecting something with font-size-zero), that directly harms my readers, and selfishly, that reflects poorly on me - it makes it look like I'm trying to harm my readers.
I also have prose blog posts where I express advice or opinions. If I write about, say, security advice, and that advice has been modified to be bad, that also harms my readers and reflects poorly on me. Why would someone do that? I don't know, there are lots of trolls on the internet. More interestingly, I also write about my religious beliefs. If someone modifies a post to make me look like I'm one of the most egregiously bigoted people of my religion, that would also be harmful to my readers and reflect poorly on me, and the casual reader might not notice that the post is out of character, and there are a lot of people on the internet who are angry at my religion.
Also, even if I didn't have any such information, a MITM could add a cryptominer or something to my blog - something that accesses no private information but still consumes my visitors' CPU and battery - would harm my readers and reflect poorly on me.
Sure but what i asked wasn't about your own site but why it is something sites have to care about when the actual issue is with ISPs (in the case where ISPs are injecting ads or other stuff). There are *WAY* more sites than ISPs and the party that is wrong here is the ISP, not the site.
What makes you think HTTPS is going to prevent that? You can without much effort generate your own SSL certificate and MITM attack HTTPS traffic [0]. Not sure why to win an argument you stop short of the place where your argument would fall far apart, but not a single step further.
Of course you can MITM HTTPS if you get the end user to install a custom CA, the point is that those are extra steps that few users will take (and if my ISP ever required that I would switch to a different one immediately since that's shady as hell).
And how prevalent is the practice of ISPs injecting packets into non-HTTPS traffic? Seams like OP is trying to argue against HTTP just because of a few ISP bad actors. HTTP is simpler, faster, less complex and requires much less initial configuration to set up. It also seems to me that HTTPS would be a great way for an evil tech monopoly (Google?) to solve the user attribution problem much more accurately in a cookie-less world (if you control the browser "Chrome" and the server "AMP" you just need to make sure the link between the two is encrypted to identify the user.) So I'm always worried whether opponents of HTTP have not been somewhat indoctrinated.
Do you think a complaint from all three customers in your area who understand the issue is going to change anything, especially when options are limited and your only choices of ISP are engaging in the same behavior?
On unencrypted connections, there's nothing preventing an intermediary from altering a page. Assume it happens.
A complain by three people wouldn't make much but if it is just three people in an entire country then the issue doesn't matter much in the first place.
On the other hand, a complain by all the customers of the service over the entire country who understand the issue could make a difference.
This was noticed when a Google engineer went on holiday, and stayed at a hotel with dodgy Wi-Fi that copypasted ad scripts into anything that looked like jQuery. Said engineer realized that his laptop was still getting hit with the hotel's ads for months afterwards, because it had managed to poison one of those "JavaScript CDNs" that a lot of other sites use.
This is, of course, an attack - a hotel that can get an ad script onto arbitrary sites by rewriting one unencrypted request can also add a script that, say, siphons information off of any other site it got included into.