[JoachimSchipper]

> proxies can unwrap HTTPS

They cannot get at the plaintext without a certificate warning (or installing a certificate in the user's browser beforehand).

[pnathan]

They cannot get at the plaintext without a certificate warning (or installing a certificate in the user's browser beforehand).

Which will get clicked through anyway, so, uh, the security is kinda moot. =)

[Cushman]

I don't know why you were downvoted for this, it's a very cogent point— most users would probably click through a big red screen that says "DO NOT VISIT THIS WEB SITE!" We need to be thinking of them when we design our security model.