Eh. I sort of disagree with this specific phrasing.
People shouldn't focus only on targeted attacks on the server. Of course if you have an HTTPS proxy in front of an HTTP server, you can be MITMed between those two servers, and that's very bad.
But even with that flaw you're getting benefits. Public networks can't inject malware/ads into that webpage, a MITM attacker between your proxy and the main server will have a harder time correlating a request with a specific person, ISPs will have a harder time scanning the traffic for use with ads/metadata.
This is a similar argument that comes up sometimes about VPNs. I know people who argue that a VPN does nothing because it just moves trust from one party to another. But the reality is that if you search my public IP address, you will get a pretty decent approximation of where I live. In a world without a VPN, I'm not just choosing whether or not I trust my ISP, I'm choosing whether I'm comfortable giving a decent marker of my physical location to literally every single website that I visit.
That doesn't mean the "moving trust" concern isn't valid, it just means it's not the full picture of what a VPN (either privately hosted or through a 3rd-party) protects you from.
In the same way, it is a valid concern that behind the scenes data might not be encrypted between a proxy and a server. But that's not the full picture of what HTTPS protects you from. HTTPS also protects you at the router/network level.
Eh. I sort of disagree with this specific phrasing.
People shouldn't focus only on targeted attacks on the server. Of course if you have an HTTPS proxy in front of an HTTP server, you can be MITMed between those two servers, and that's very bad.
But even with that flaw you're getting benefits. Public networks can't inject malware/ads into that webpage, a MITM attacker between your proxy and the main server will have a harder time correlating a request with a specific person, ISPs will have a harder time scanning the traffic for use with ads/metadata.
This is a similar argument that comes up sometimes about VPNs. I know people who argue that a VPN does nothing because it just moves trust from one party to another. But the reality is that if you search my public IP address, you will get a pretty decent approximation of where I live. In a world without a VPN, I'm not just choosing whether or not I trust my ISP, I'm choosing whether I'm comfortable giving a decent marker of my physical location to literally every single website that I visit.
That doesn't mean the "moving trust" concern isn't valid, it just means it's not the full picture of what a VPN (either privately hosted or through a 3rd-party) protects you from.
In the same way, it is a valid concern that behind the scenes data might not be encrypted between a proxy and a server. But that's not the full picture of what HTTPS protects you from. HTTPS also protects you at the router/network level.