>Https does nothing for security.

What sort of definition are you using for security? It's obviously not the standard one.

Sending passwords in the clear vs not is covered on the first day of security 101.

The threat model is really simple, actually!

"I don't want other people to know my passwords".

Perhaps you don't understand what HTTPS does. Which is totally fine! Lots of people don't really get it (or even need to). But yelling "buzzwords" for the things you don't understand doesn't make the usefulness go away.

For someone so wrong about this, you're very opinionated! It's quite a dangerous mix. Thankfully, not dangerous to me, so I can just have a little chuckle and move on.

Security is: confidentiality, integrity, availability. HTTPS gives you two of those. Well, as long as you trust the CAs that came installed on your computer that is.

You need 9 more minutes of thought process.

No, I need exactly 0 seconds to process empty buzzwords in the vein of "add Frobnozz to your TCP/IP, Frobnozz increases security bigly!".

There are zero buzzwords. I was just being vague because again, the cost of just flipping https on is negligible, it's literally more work to have this conversation and work out all of the details of exactly what attacks you're protected against.

It is never worth asking "should I even do https?" The only variation worth considering is "is https enough?" And even then, start with https and then build on top.

Answered above. :shrug:

It does quite a lot for security. It prevents evesdropping (to an extent, better with esni), disallows ad/malware-injection or content modification, and prevents credential sniffing. It does all that against most reasonable attackers, up to around the rough ballpark of nation states.

All for the price of about the same amount of work that it took to read this message.

"Https is only for credit cards" is some serious 1990s bullshit.