Because browsers run code, they exist in that tricky space where some design decisions have to be made for the good of the commons.
If you visit an HTTP site and get MITM'd, it's not just that the attacker can put you at risk by spoofing a credential input box; it's that the attacker can put third parties at risk by having your browser
XMLHttpRequest as fast as it can at at someone else's site to try and DDOS them.
At that point, the calculus shifts and we see a world where user-agent engineers have to make decisions like Microsoft did (to start forcing people to install security patches to the most popular OS on the planet, because we have enough evidence from human behavior to know that at some point, forcing-via-inconvenience becomes necessary).
HTTP is fundamentally broken in that it can be abused to damage the network itself, and even though it's a deeply entrenched protocol, it's one that people have to be backing towards the exits on for that reason.
I think your comment goes specific, but i was talking generally. I don't really understand if you are arguing against my opinion.. I don't know what to respond.. bye
If you visit an HTTP site and get MITM'd, it's not just that the attacker can put you at risk by spoofing a credential input box; it's that the attacker can put third parties at risk by having your browser XMLHttpRequest as fast as it can at at someone else's site to try and DDOS them.
At that point, the calculus shifts and we see a world where user-agent engineers have to make decisions like Microsoft did (to start forcing people to install security patches to the most popular OS on the planet, because we have enough evidence from human behavior to know that at some point, forcing-via-inconvenience becomes necessary).
HTTP is fundamentally broken in that it can be abused to damage the network itself, and even though it's a deeply entrenched protocol, it's one that people have to be backing towards the exits on for that reason.