[himata4113]

I think you would have a better argument if you said something like: "I don't want my ISP knowing about the content I read" or something along those lines. MITM for a text download is like saying we have to have https for dns (yes DoH exists now), but the point still stands. You aren't sending any sensitive data to the website, MITM is unlikely.

[brewmarche]

Without HTTPS someone could alter the content, spread false information, inject ads, malware, and other stuff, redirect to some other site, …

(This is a general remark, but it goes for a blog post like this as well.)

[himata4113]

It's still a weak argument since it's extremely rare in practice that's why I suggested blaming the ISP instead since ISP's are the ones that have historically tampered with http content.

[Orygin]

It's rare in practice because everyone and their mothers run HTTPS now.

[foobiekr]

Attacks in general are all rare in practice in the grand scheme of the internet. So?

[himata4113]

Yes, that's why you present a better argument, that's the entire conversation.

[reaperducer]

Not everyone has to prepare their home for a leopard attack.

[Joker_vD]

The site owners could do all of that even with HTTPS, and no-one would revoke their certs. Just saying.

And the best Windows malware is actually digitally signed.

[SAI_Peregrinus]

I no longer have an ISP that injects ads into HTTP-only pages, but I did have one once. MITM is quite possible.

[OkayPhysicist]

Without HTTPS, every link in the chain between me and your website is a potential attack vector. Maybe I trust my ISP, but do I trust my buddy's cheapo router? What about the shadowy cabal that offers airport wifi?

With static webpages, the concern isn't someone snooping in on what I'm reading. It's someone injecting content, probably malware, into the page. Let's say I have a zero-click exploit for Chrome. What can I do with it? If I just stick it on a page I control, best I can hope for is spamming it all over the web and hoping someone clicks on it. Probably not a lot of impact before it gets patched. If instead, I can wait until some router firmware gets pwned, or an ISP, I can do a mass attack where I make all the vulnerable routers inject my exploit into all non-HTTPS web requests. Much greater exposure.

[butlike]

Just as a reminder, this was standard before SSL/TLS. Every webpage was http-only.