[swinglock]

Men in the middle including predatory ISPs can not only spy but also enrich. Injecting JavaScript and embedding ads is the best case scenario. You don't want that.

In addition even without bad actors TLS will prevent random corruption due to flaky infrastructure from breaking the page and even caching those broken assets, preventing a reload from fixing it. TCP/IP alone doesn't sufficiently prevent this.

[Am4TIfIsER0ppos]

> JavaScript

Why do you allow that RCE in the first place?

[swinglock]

Most users have JS enabled nowadays. Much of the web doesn't work without it. It was just an example.

[psnehanshu]

TCP ensures what gets sent on one side gets received on the other side. TLS just encrypts the data. So even without TLS, random corruptions won't happen unless someone does MITM attack.

[swinglock]

No it does not. I've had this happen in legacy systems myself. The checksums of TCP/IP are weak and will let random errors through to L7 if there are enough of them. It's not even CRC and you must bring your own verification if it's critical for your application that the data is correct. TLS does that and more, protecting not only against random corruption but also active attackers. The checks you get for free are to be seen only as an optimization, letting most but not all errors be discarded quick and easy. Just use TLS.

[ppseafield]

I saw myself years ago that Verizon injected marketing tracking headers into http traffic. My ISP was the MITM.

https://www.eff.org/deeplinks/2014/11/verizon-x-uidh