> I don't understand this risk; it's not setting cookies, there's no passwords, or any personal information.
I agree with you technically, but in practical terms imagine if you changed the web page to look like a Google-style search engine window.
You can expect all the less-sophisticated users to try typing site names and even URLs into that text widget.
And if you give them back what looks like a link to the place they wanted, they absolutely will click it, and most of them will happily trust that having typed "My Bank" and clicked a link labelled "My Bank: A secure bank" in the resulting "search results" the site they've reached, fake.mybank.neverssl.com must obviously be their bank, and they will cheerfully give you their bank credentials.
I'm not suggesting this as a criticism, it's purely an observation, that in practice NeverSSL getting pwned would be a real problem, the same exact way it's a problem when some Hollywood actress (who doesn't know the first thing about medicine) tells women not to vaccinate their kids. People are dumb, and we have to allow for that.
I agree with you technically, but in practical terms imagine if you changed the web page to look like a Google-style search engine window.
You can expect all the less-sophisticated users to try typing site names and even URLs into that text widget.
And if you give them back what looks like a link to the place they wanted, they absolutely will click it, and most of them will happily trust that having typed "My Bank" and clicked a link labelled "My Bank: A secure bank" in the resulting "search results" the site they've reached, fake.mybank.neverssl.com must obviously be their bank, and they will cheerfully give you their bank credentials.
I'm not suggesting this as a criticism, it's purely an observation, that in practice NeverSSL getting pwned would be a real problem, the same exact way it's a problem when some Hollywood actress (who doesn't know the first thing about medicine) tells women not to vaccinate their kids. People are dumb, and we have to allow for that.