In the spring of 2014, I found a bug in several browsers, including Epiphany, Xombrero, Opera Mini and Midori. They were loading subresources, such as scripts, from HTTPS servers without doing proper certificate validation. I tracked this down to some bad defaults in webkit which have since been fixed.

Sometimes I do things for no real reasons other than "because I can" and/or "it amuses me". For example, embedding a snarky message into my HTTPS certificate.