Right but that wasn't the point. The idea sometimes put out is that a more sophisticated instrumentation is less likely because it's more difficult. It's a misapplication of the threat model principle.
It's a false claim because the instrumentation is automated and the execution is identical.
To be even more specific about HTTPS, if someone is lying to you about DNS, lying to you about the key signer and lying to you about the keys, it still doesn't work because your browser ships with verification keys from the major key signers.
So the attacker would still have to break cryptography because they couldn't do a fake chain that matched the domain and the key that was sent to you with your browser.
Now if someone managed to break RSA then again, this would become a single program with as much effort to run as any other program even though it sounds like a lot more work. But there's no public break so it's assumed to be unachievable without vast computing resources.
When you're browsing with HTTPS, a third party may see: - Your DNS queries (revealing the name of the website you're visiting),
- The handshake of your TLS connection, including Server Name Indicating (SNI) (revealing the name of the website you're visiting).
- A third party on the network is not however able to see the content of the website you're visiting, or the data you're submitting to the site.
When you're browsing with HTTP, a third party may see: - Your DNS queries (same as above)
- The name of the website you're visiting (via the host header)
- Any and all information sent between you and the website, as well as being able to modify any and all data sent between you and the website.