User types 'bukkit.org' into their browser address bar and hits enter whilst at a conference on an open WiFi network. They've visited the site before in the past and now that it uses SSL everything should be okay, right? Attacker intercepts HTTP request on port 80. Normally the response would be something like: HTTP/1.1 301 Moved Permanently Date: Wed, 09 Dec 2015 10:59:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Location: https://bukkit.org/ Server: cloudflare-nginx Attacker connects to https://bukkit.org/ on the victim's behalf, swallows the redirect response and serves all the secure pages back to the victim on port 80. Victim logs into the forums, inadvertently sends the password to the attacker and has their session cookie compromised too. Victim happens to have admin access. Attacker uses this to inject malicious scripts into the page and compromise even more accounts. Eventually someone notices and notifies Curse. Maybe the script is removed after a few months, maybe the users are informed - it doesn't matter because at this point all of the passwords of those who've logged in have been compromised. A smarter script would forcibly log the user out and make them login again to harvest the passwords of everyone who visited.