[stop_nazi]

1. using http-only for decades, never seen “injections” 2. just change ISP

[Avamander]

> 2. just change ISP

Not a viable option in a lot of places. Nor does anyone really even want to consider this possibility of their ISP being able to MITM something in the first place.

[stop_nazi]

If a provider does not provide data transmission, that provider is not competent. Period

[Ferret7446]

Saying that doesn't fix the problem though

[bilekas]

> using http-only for decades, never seen “injections”

This has to be a rage bait comment, but anyway, how do you expect 'injections' to show up on 'http-only' ?

"Don't mind us, we're just sitting in the middle of your traffic here and recording your logins in plaintext"

[stop_nazi]

I'm not talking about logins, it's supposed to be encrypted. If I go to read news that is open to an unlimited number of people, there is no need for encryption: the information is open.

[Avamander]

You assume that you will _never_ read something that might be out in the open but at the same time the fact that you're reading it might be the thing that needs protecting? A public invitation to a protest against your autocratic government, for example?

[pKropotkin]

A public invitation to protest against my authoritarian government should not turn on total paranoia mode and cipher the opening hours of the local bakery. It's unnecessary I'd also like to remind you that the vast majority of e-mails are still unencrypted

[tialaramex]

> vast majority of e-mails are still unencrypted

Kinda sorta. In transit most email is encrypted, the big mail providers all both speak and expect TLS encryption when moving mail. Almost everybody configures TLS encrypted IMAP if they use a client, or reads email over HTTPS

> A public invitation to protest against my authoritarian government should not turn on total paranoia mode

The expectations ordinary people have for how the web works are not met by the basic HTTP protocol. They need HTTPS to deliver those basic assumptions. Who decides the hours of the local bakery? Is it Jeff Bezos? HTTP says that seems fine, but HTTPS says no, the bakery gets to decide, not Jeff.

[mailtls]

Yes, many providers use TLS with SMTP. But that works with self-signed certificates.

[Avamander]

Can you say that for everyone though, that they should have a local bakery and use its opening hours? There are also more cases than that, where something being public does not mean that someone should see you looking at that info.

While the situation with emails is worse it does not mean it should be like that.

[perching_aix]

> just change ISPs

I sure love when decisions reduce themselves to single points of consideration by virtue of them being discussed in a heated internet forum thread

[stop_nazi]

The problem with the horrible injections on the page can be solved very simply. If the information on a page is open, just pass that page openly and pass a checksum of page in the header. To prevent this sum from being tampered with, the server will encrypt it. Not the whole page, just the sum. You will save a lot of CPU time on server and on client, reduce CO₂ and so on

[Avamander]

So TLS with some "eNULL" ciphersuite. People have been there, tried that. There's very very little practical value in that over just doing proper encryption as well.

[Ferret7446]

You aren't really saving anything. Hashing and encryption are very similar, so hashing the entire page is comparable to just encrypting it.