> If you're on a traditional home internet connection, who exactly can tamper with your traffic? Your ISP can, and that's not great, but it doesn't strike me as blaring siren levels of terrible, either.
This characterization in on the same level of sophistication as "the Internet is just a series of pipes". Every transit station has the opportunity to read or even tamper with the bytes on an unencrypted http connection. That's not just your ISP, it also includes the ISP's backbone provider, the backbone peering provider, your country's Internet Exchange, the Internet Exchange in the country of the website, the website's peering partner, and the website's hosting partner.
Some of those parties may be the same, and some parties I have not mentioned for brevity. To take just one example: there is only one direct link between Europe and South America. Most traffic between those continents goes via Amsterdam (NL) and New Jersey (US) to Barranquilla (CO), or via Sines (PT) to Fortaleza (BR). Or if the packets are feeling adventurous today, they might go through Italy, Singapore, California and Chile, with optional transit layovers in Saudi Arabia, Pakistan, Thailand or China.
Main point being: as a user, you have no control over the routing of your Internet traffic. The traffic also doesn't follow geographic rules, they follow peering cost. You can't even be sure that traffic between you and a website in your country stays inside that country.
Thanks for this, I legitimately didn't realize every interlink in the entire chain has the ability to tamper with a connection. I'm still very concerned about the centralization of https but I understand the need somewhat more.
Ask gay people in Iran, Uyghurs living in China, and investigative journalists in Washington, if encrypting internet traffic is a good thing or not.
Maybe a more relatable scenario for you - it was only a few years ago that you could turn cable modems into promiscuous mode to see ALL PLAIN TEXT TRAFFIC of the people living in your street!
So, if you you still think encryption isn't needed for the average person - what's your gmail username and password?
Also, don't forget that the route negotiation protocol is mostly unsecured. As we have seen in the past, it is very easy for a 3rd party to (accidentally or intentionally) redirect traffic through its routers.
In practice this means you have to consider the possibility that anyone on the entire internet can inspect your traffic. Traffic from your home in Seattle to Google's west coast data center? For all you know it could be going via Moscow.
This characterization in on the same level of sophistication as "the Internet is just a series of pipes". Every transit station has the opportunity to read or even tamper with the bytes on an unencrypted http connection. That's not just your ISP, it also includes the ISP's backbone provider, the backbone peering provider, your country's Internet Exchange, the Internet Exchange in the country of the website, the website's peering partner, and the website's hosting partner.
Some of those parties may be the same, and some parties I have not mentioned for brevity. To take just one example: there is only one direct link between Europe and South America. Most traffic between those continents goes via Amsterdam (NL) and New Jersey (US) to Barranquilla (CO), or via Sines (PT) to Fortaleza (BR). Or if the packets are feeling adventurous today, they might go through Italy, Singapore, California and Chile, with optional transit layovers in Saudi Arabia, Pakistan, Thailand or China.
Main point being: as a user, you have no control over the routing of your Internet traffic. The traffic also doesn't follow geographic rules, they follow peering cost. You can't even be sure that traffic between you and a website in your country stays inside that country.