Happened to my startup back in ~2012.

We had built an iPhone app that retrieved HTML pages from a server, but then scanned for extra metadata that was embedded in HTML comments for things like what navigation options should be displayed to accompany that page.

We got a bug report from a user that the app broke when they used it on the free WiFi on the London Underground.

It turned out there was some weird proxy running on that WiFi network that stripped HTML comments and injected extra tracking code into pages!

Switching to https fixed the bug. I haven't shipped anything that uses plaintext HTTP since then.

Thank you all for your comments! We are working on a new version of the website, with a new layout, better examples up front, and HTTPS.

Not sure if you heard, but recently more net neutrality rules were struck down and that is expected to continue -- so ISPs (who have already done this) are allowed to inject / replace ads with their own ads, as an example. (https://thenextweb.com/news/comcast-continues-to-inject-its-... was the first article I hit in the googles)

I believe I'm being served tampered content every single time I access HTTP, so the last time that happened coincides with the last time I used a HTTP URL.

Here are two hurdles:

1. Can you prove me wrong?

2. Next, given 1, can you rationally justify not rolling out HTTPS everywhere.

In other words, is it actually a valid argument that "often, nothing bad happens when you use HTTP, so it is okay".

Tampering of content has nothing to do with your privacy; it's a security matter. A nefarious man-in-the-middle could insert content which attacks your browser or redirects it to a malicious site, etc.

That attacker could be on a network close to you, or a network close to the site. It's not a matter of trusting or not trusting the original site that serves the HTTP.

Therefore it doesn't matter that you're just accessing the site as an anonymous visitor without an authenticated account, just viewing public content.

I just mostly mourn all the caching and sharing potential along the way gone in the world where everyone totally needs a private secure tunnel to the very server containing most mundane, public and irrelevant information.

Thanks. We're working on an improved site with HTTPS. Coming very soon, I hope!

> Tampering of content has nothing to do with your privacy; it's a security matter. A nefarious man-in-the-middle could insert content which attacks your browser or redirects it to a malicious site, etc.

Curious, why that doesn't happen when I access https://verybadguy.tld/this_page_absolutely_doesnt_have_harm... for the first time? Isn't it the browser's job to handle harmful content?

Browsers are indeed supposed to make it safe to connect to anything; it is their job. They have not had a perfect track record, though.

My caching proxy disagrees with that. My threat models are bad 4g connections and greedy telcos.

Fair enough. All depends on your threat model and risk appetite