Comment by pc86
4 hours ago
Man I really hope this doesn't get autoflagged because people need to see that this is an opinion people actually have, and what the (justified) reaction to it is.
HTTPS on a blog does nothing. It doesn't protect you from anything. I guarantee you're not getting "all kinds of MITM injections" on this block of text. The only reasonable desire I can think of for "HTTPS everywhere" is hiding the content from your ISP but a) they still see the URL so they can get the content if they want it, and b) if you're so worried about that, use a VPN which coincidentally is even better because it will also hide the URL, and most importantly c) it puts the onus on you, the person who wants the thing, instead of hundreds or thousands or tens of thousands of text-only website owners who rightly couldn't care less about HTTPS.
>I guarantee you're not getting "all kinds of MITM injections" on this block of text
You actually can’t guarantee anything of the sort. BGP hijacks are real.
> they still see the URL so they can get the content if they want it
That's incorrect, a MitM can only reveal the server hostname by inspecting the SNI during the TLS handshake, but the HTTP request, including the URL and headers, is encrypted.
Surely your ISP can see every URL you visit if they have a reason to? They're routing the traffic.
No they can't. They obviously know the IP addresses, but that's not terribly useful since everything is behind a cloudflare proxy nowadays. The server hostname may provide some more information, if the server doesn't support ECH [1], but the full URL is encrypted.
https://en.wikipedia.org/wiki/Server_Name_Indication#Encrypt...
Routing only shows the server IP address, which isn’t very useful if it is AWS or Azure or CloudFlare or some other CDN.