[MrRadar]

Of course you can MITM HTTPS if you get the end user to install a custom CA, the point is that those are extra steps that few users will take (and if my ISP ever required that I would switch to a different one immediately since that's shady as hell).

[soheil]

And how prevalent is the practice of ISPs injecting packets into non-HTTPS traffic? Seams like OP is trying to argue against HTTP just because of a few ISP bad actors. HTTP is simpler, faster, less complex and requires much less initial configuration to set up. It also seems to me that HTTPS would be a great way for an evil tech monopoly (Google?) to solve the user attribution problem much more accurately in a cookie-less world (if you control the browser "Chrome" and the server "AMP" you just need to make sure the link between the two is encrypted to identify the user.) So I'm always worried whether opponents of HTTP have not been somewhat indoctrinated.

[Seirdy]

> And how prevalent is the practice of ISPs injecting packets into non-HTTPS traffic?

Is there anything preventing page alteration on unencrypted connections? There's certainly an incentive to do so.