Hecuba's daughter wrote:To be fair to the basic user, this is just one more reason for not using a network whose security you aren't confident in. Surely?
OK, but people will still use free WiFi. Because it is free, after all.
Not that I don't completely trust NS to prevent XSS and CSRF etc,
Well, when we're talking about an insecure network, you shouldn't trust NS to completely protect you, because an active attacker on the network can impersonate any plaintext site on your whitelist. Browser sends OCSP request, attacker responds with redirect to http://www.bank.com, browser requests bank.com via plaintext, attacker impersonates bank.com.
Forcing HTTPS is the only real defence here.