[foobiekr]

It’s html. Which is code that your browser executes.

Millions of routers are compromised. BGP attacks happen. Anything http stands out as an interesting target for injection.

This position is foolish. It’s not a major ask to enable https.

[pavon]

For a random blog you have never visited before and have no reason to trust. It could attempt to do all the malicious things that you are worried a man in the middle would do.

[themafia]

The browser still has to execute code over HTTPS. You've just moved the injection perimeter from inside my own network into the providers website. I don't think you've fundamentally changed your level of risk unless you spend a huge amount of time browsing on shared password WPA protected wifi networks.

You cannot browse to sites under any regime and execute code while expecting security to exist.

[toast0]

> BGP attacks happen.

If you control the IP a domain name points to, you can get a certificate issued. Https might help on a small BGP takeover, but it might very well not.