Why every website should use HTTPS: This blog post expands on a previous Twitter thread about the importance of HTTPS. It gives examples like shrug.io, where even a simple static page should be accessed over encrypted connections.

• Malware and exploit delivery: Attackers use plaintext webpages to deliver malware and browser exploits. Well-resourced attackers have targeted specific victims via unencrypted HTTP redirects. There are two arguments against considering this a significant attack vector: one is defeatist, and the other is that there are other ways for attackers to get victims to visit malicious webpages. But closing off the network injection vector is still worthwhile.
• Subjectivity of “sensitive”: Determining what is “sensitive” web traffic is subjective and context-dependent. The U.S. federal government emphasized this in its HTTPS-Only Standard. Even seemingly non-sensitive websites can have capabilities that can be abused.
• The power of defaults: Simple or non-sensitive websites should use HTTPS to make the whole web safer. As HTTPS becomes more prevalent, default protections against passive eavesdroppers have improved. But more work is needed for active attackers, like showing warnings before loading HTTP pages. Browsers can only consider these protections when HTTPS usage is widespread.