I know everyone uses TLS/SSL as transport layer security on the web.
What would prevent me from generating let’s say keypair manually, encrypting data client-side (using JS for example) with that public key and submitting that data to my server with http’s GET/POST request?
I mean – I can just use JS library to encrypt some form data with that public key – right?
Only person who has private key can decrypt it – right? And private key would be kept on the server of course. No key warning will pop up – since transmission is a regular http request. So why I need TLS?
Let’s give an example of how this could go wrong. Let’s say that what you’re trying to encrypt is some form data and send it to the server. The server sends it’s public key to the client to encrypt with. The client in JavaScript encrypts this data and sends it to the server. Assuming that’s what happened you’d be okay.
Now let’s explore how this could go wrong. With the status of switching and the like these days it is fairly hard to sniff someone else’s packets without access to the hardware. Therefore, most of the cases you are trying to avoid also allow the attacker to present a man in the middle attack. In this case the attacker could provide the client with whatever JavaScript they pleased. A clandestine way of stealing data would be to provide JavaScript that does everything that the original JavaScript does, and the also sends the unencrypted data to another server.
This can happen in a similar fashion for data from the server being sent to the client.
P.S. If your problem is the lack of a CA signed cert, I would suggest getting a free one from http://www.startssl.com/