How dangerous is plain http?