If your site does not use HTTPS, Rostelecom will insert pro-war propaganda in it

This sort of thing is why I look askance at the "you don't need certificates" crowd. In the US, at least both Comcast and AT&T have a long and well-documented history of injecting advertisements into websites when the lack of a certificate lets them get away with it. Maybe you don't care about eavesdroppers, but you should care about a malicious network tampering with your content in-flight.

Mobile providers have been doing this crap for ages.<p>That is why in the past I run my mobile connection through a VPN as much was possible.<p>FWIW this has nothing to do with pro-war propaganda, just the sketchy behaviour telecoms providers have been doing and still do.

How easy is it, in practice, for a nation state level authority to add a root certificate to people&#x27;s devices?<p>Adding letsencrypt to my personal server made me realize that if I&#x27;m MITM&#x27;d by a proxy, the padlock still shows up; merely clicking on it and going down a couple of menu levels (in Chrome &quot;Connection is secure -&gt; Certificate is valid&quot; will reveal that the MITM proxy&#x27;s root certificate is in use.<p>If an employer can do this to its laptops, and presumably a cell phone maker to the cell phones it sells, just much protection does https really give you against a nation state level propaganda machine?

In cryptography there is the clear difference between encrypting and signing (Confidentiality and Integrity). Is this distinction possible on a webserver&#x2F;browser? I.e. No encryption, no signing -&gt; HTTP Encryption and signing -&gt; HTTPS No encryption, signing -&gt; ? What about public information (not confidential) that needs verification (yes integrity)?

Even with HTTPS, are any pinning techniques still viable to warn users the traffic is being, possibly legitimately, MITM-ed?<p>HPKP was an option, but the footgun reason was given for dropping support. Has anything taken its place? Is there anyway to determine a MITM server-side without relying on x-forwarded-for or via headers?

Author himself links to articles how said ISP was injecting news ads, since 2020. Current news is about Ukraine, thus must be propaganda.

Good way to make people switch.