Because without HTTPS it's trivial to MITM that clipboard content if they're always sending it via http.

People in your coffee shop on the same WiFi could read it.

I get some people don't realize that's how TCP/IP works and the firesheep stuff all happened 15 years ago. But a bit worrying to see a frequent HN contributor challenging that.

That's why we now push for Https everywhere.

That has no effect on the owner of a malicious access point. HTTP over WPA2 is plaintext again the moment the AP decrypts it.

you may be surprised at the number of unsecured WiFi networks there are.

I see them in 2025 in captive portals, public libraries, and when traveling abroad.

Not all guest Wi-Fi uses a PSK. In general, assuming all networks will already be encrypted along each hop to the server is a losing assumption for users.

Https everywhere is a good start, it keeps the other plebs at the coffee shop out of your business. But it's still open to anyone with enough power to coerce a CA, which is the more concerning sort of adversary anyhow. So yes, https everywhere, but let's not stop there.

Yes, but we have widely deployed efforts like certificate transparency, and cert pinning.

The first makes such attacks widely known events, browsers report by default, and it s provable. It’s very rare.

The second allows apps to only trust specific certs or CAs, ignoring system root of trust.

I just want to clarify HTTPS in practice is quite secure.

I'll not let go of my distaste for roots of trust in any form, but you likely have a point. I'll have to learn more about this transparency thing.

How about HTTPS?