Note that the "malicious page" could also be embedded / injected in another page. Basically any non-https page opened over public WiFi would be enough. And conveniently users on public wifi are also the easiest to sniff, so the group on which breaking encryption makes most sense.