But I can't do that in the moment. Without HTTPS I sit on the network and see a clear request to your website. I intercept it and cause problems. With HTTPS I need to have planned ahead of time to target your website specifically and spent time and money on getting a bogus cert for your website. If your website is small I am not likely to do that. But I don't care how big your website is once I'm seeing cleartext traffic.

Hmm, well, in this case its as easy as running a script and clicking a button from this particular host. So I guess there's no major reason why not to do it (and it seems like my provider is defaulting to TLS from Lets Encrypt on any new sites made anyway). So its the new default way of doing things.

I'm not entirely convinced that it solves the MITM attack still. But I'm still not convinced that the arguments a lot of people are making around here necessarily make sense either. A lot of these attacks are fundamentally theoretical and don't seem broadly applicable.

The main argument that convinced me is: its easy to do, so why not? But the scare tactics that a lot of people in this discussion are unsavory to me and are unintelligent IMO.