The stupid behaviors listed above are putting your google password or payment info into a random blog, or running a program it gives you because it says you need to update.

Doing that is stupid whether it's http or valid https or broken https.

Okay, but if a user went to a http version of YouTube and put in your payment info to buy a movie, as opposed to remembering it should take him to an https Google page, I would find that a plausible situation that is hard to blame the user for. Attackers being able to hijack the reputation of sites is problematic.

> Attackers being able to hijack the reputation of sites is problematic.

And the whole point of this thread is that some sites have 0 reputation to hijack.

Youtube does not have 0 reputation. The point of this thread is arguing the merits of requiring sites that don't handle sensitive informationfto use https.

Nobody mentioned YouTube until your previous post. The example of 0 reputation was a ten year old blog post found via a comment.

And "logins" were explicitly listed as important to secure, in that same comment. So that double covers YouTube for just about everybody.