Re: @Charles 9 Chinese Cannon
Do you execute untrusted code (which could be malware) from a http protocol site? I doubt it. If it were https, a lot of people would think it's legit and code would be executed.
So there's one point down for https.
As I pointed out, the attacker would have to control the edge router at either end. If they control the edge router at the website you're accessing, they presumably control the web server as well, and at that point they can inject whatever they please into the pages they serve or serve whatever they won't -- and it will all be HTTPS with valid certificates.
Same applies for the edge router at your end. SSL forwarding as much as they want and they can look into the content you're getting.
A MitM attack somewhere at a random point between edge routers has almost no chance of succeeding, unless the attacker controls all routers at which point you have a much bigger problem.
--
I was expecting you to mention Stuxnet. And let me repeat: The Iranian nuclear program had much bigger problems than Stuxnet if it was able to jump the airgap. Stuxnet only used a vulnerability that was already present.
Biting the hand that feeds IT
