Your missing the point. In that browsers insist that you now -must- have HTTPS. And that if you wish to serve an static HTTP website over HTTP you can not without a glaring "This site is unsafe" thrown in your face.
That's because it is unsafe. Without HTTPS, an attacker can inject arbitrary malicious javascript into the page.
The only context in which plain HTTP is ok on today's internet is when you a loading a page from your own server on the same LAN, behind a firewall, when you are reasonably sure that nobody else is in you network.
> That's because it is unsafe. Without HTTPS, an attacker can inject arbitrary malicious javascript into the page.
No they can't. If they can inject malicious content then you should fix the exploits on your platform. HTTPS isn't going to save you. If exploitable under HTTP hey can do the same under HTTPS.
So, How is a static webpage of "hello world" unsafe?
There is no such thing as a "static" web page in the context of a MITM attack. The MITM can change the page to ANYTHING he wants it to be. The HTML you receive can be a completely different page than the one sitting on your server.
HTTPS protects you from that. It ensures that the HTML you receive is the same HTML from the server. That's why I sad: The only way unencrypted HTTP is reasonable is when you are fairly sure that there isn't a MITM. Like on your local LAN--anything that goes across the public internet is suspect.
> If they can inject malicious content then you should fix the exploits on your platform.
This is not reasonable. Literally every browser out there has multiple 0-days show up every year. Chrome, Firefox, Brave, Safari, Edge, you name it.
Now try connecting to public wifi with that. Doing a MiTM and replacing anything with anything else is super easy. Just put a router with some Linux distro acting as extender (or mobile connection AP) with the same name and you can change traffic on any non-HTTPS website.
Or not even a public wifi. Someone can put a device somewhere between your home and ISP and MiTM attack you the same way as above.
Oh, and I will just show you fake e.g. Google login page, not just replace the context. And you are tired and just want to use the web... You won't notice the unsecured connection.
> The scenarios you listed can even make HTTPS insecure.
You don't understand what HTTPS does, then.
HTTPS is specifically designed to counter MITM attacks, so it is, in fact, not insecure in the scenarios listed by the parent comment.
> If you were visit that page on an network that is not MiTM the website is still secure. There is no requirement for SSL.
That is really only relevant when you and your sever are on the same LAN, behind a firewall, and you are reasonably sure that you don't have an intruder (like I mentioned upthread).
When you are browsing a server across the public internet, you should assume you are being MITM'd. With HTTP (not S), the MITM attacker does not need to be between you and the server. If they can guess the TCP sequence number and when you are browsing, the MITM can inject (or replace) arbitrary content into the pages you load.
