It appears to be a huge problem... perhaps messages sent over the air for such an important system should be crypto-signed?
It reminds me of when the Army's drone was diverted and captured because someone spoofed GPS... It probably isn't possible to capture a drone in the same way anymore because I'm sure that they fixed this flaw.
It's like the HTTP vs HTTPS problem ... but anyone can MITM attack because the signal is wireless (and not encrypted and/or signed).
It’s not surprising that Google prefers reliable sites with a valid server certificate.
In this case, the user can be sure that the site uses encryption of personal data to increase protection and security. However, it must be understood that obtaining a certificate can be a daunting task (which accounts for the additional weight of this factor when ranking).
When a site requests a certificate, the organization that issued the certificate becomes a trusted third party to read more here https://sitechecker.pro/http-vs-https/ and check it. When your browser accesses a site that uses the secure HTTPS protocol, it uses the information contained in the certificate to authenticate the site. A user who understands the difference between HTTP and HTTPS, can safely make purchases, and not be afraid that his data will be stolen.
It reminds me of when the Army's drone was diverted and captured because someone spoofed GPS... It probably isn't possible to capture a drone in the same way anymore because I'm sure that they fixed this flaw.
It's like the HTTP vs HTTPS problem ... but anyone can MITM attack because the signal is wireless (and not encrypted and/or signed).