> When the user first visits an HTTPS page with a self-signed cert, they get the content, and the URL art style has a broken lock or something warning it's not known to be secure.
Do we assume the user is going to notice that URL art style, and actually heed it? Because if the answer is "no" (and I think in reality, the answer would be "no"), then pick a high value site, and MitM it with a self-signed cert. The user misses the indicator, and proceeds to interact with the site; does JS work? (let's steal the user's cookies) do forms work? (please log in!)
If you have the ability to MitM a high value site like facebook.com without getting caught, I think it's worthwhile to do so regardless simply because you'll get some portion of the users who bypass the warning. In my scheme, the only people who won't see the warning are those who have never visited facebook with that browser before, so they may or may not have an account to login with that you can hijack.
Do we assume the user is going to notice that URL art style, and actually heed it? Because if the answer is "no" (and I think in reality, the answer would be "no"), then pick a high value site, and MitM it with a self-signed cert. The user misses the indicator, and proceeds to interact with the site; does JS work? (let's steal the user's cookies) do forms work? (please log in!)