This is besides the point of the article, but the link is in HTTP (no TLS but available with a correct certificate), and the report site which has the information linked in the article is also in HTTP (but has a bad TLS certificate).
Perhaps not least of all that you'd expect a web page from MIT of all places to use a generally considered standard security practice of using TLS, particularly for information some might consider quite important.
For an institution that claims to be an engineering leader, there's no real excuse for not having TLS everywhere with proper redirects today. It can prevent ISPs from seeing what you get or injecting their own code into webpages.
The information therein is potentially bad for their reputation, and not "signing on the dotted line" leaves scope for them to come out in the future and say "that's not actually what we said, must have been MitMd" (for example).
An institution of this calibre should be considered viable to pull off something this obtuse to your average person, and thus should not be given the benefit of the doubt. This is just one of many possible effects including SEO penelties amongst others.
That risk doesn't make any sense when they can also just edit the page content on their end. Are we taking seriously the risk MIT would try and blame editing their own page on some kind of MITM that successfully masked true page content a) consistently b) for 100% of readers c) applied at an attack location in the network that someone had access to that isn't the same someone as controls the TLS-verified content hosting? This smells like rhinoceros-repellent levels of paranoia.
I'm not seriously suggesting this is likely, im just presenting a hypothetical scenario, and it doesn't need to be plausible in order for it to be used as a narrative. Do it properly, remove any doubt, secure your (one's) website so people _know_ the information came from you.
Yes, it is worth it, and, no, this particular engineering leader displays no such skill here. It was somewhat debatable several years ago, when the whole "switch to https" movement just started growing traction, and, yes, there are some questionable moments, as with FTP.
But today TLS-by-default is pretty much a standard practice for any public web-page like this, there's no trade off to make here, and it can be argued it undermines my privacy as a visitor, since instead of just revealing that I'm visiting mit.edu to the network, I have no choice but to reveal what page I'm visiting and what I'm reading there. Furthermore, the network owner may decide to serve me any bullshit instead of this very important official MIT statement, and I will have no way of knowing that.
Aren't you worried that a statement surrounding a person who is the subject of a possible international cover-up, might be a prime candidate for MitM-type tampering? Without HTTPS, how do you know what you're reading hasn't been subtly changed from the real statement MIT put out?
Network effect. Someone making that attack would have to hit near 100% of readers to mask such shenanigans, or readers receiving different versions would discover the hijinks when comparing notes. An attack that far upstream is an attack by an insider who can likely get it into the network behind the TLS encryption anyway.
I specifically wrote it was besides the point of the article, and that it was something I noticed and I thought was worth pointing out after reading the whole article and not having anything in particular to say about it.
