Compromising the shopper Laptop, including by putting in a destructive root certification in the method or browser belief store. SSL/TLS is especially suited for HTTP, because it can provide some defense even though only one aspect in the communication is authenticated. Here is the situation with HTTP transactions over the http://XXX