Sounds fine for shopping, online banking, user authorizations. But for every website? If I'm a blogger/publisher or have a brochure type of website, I don't see point of the extra overhead.
This isn't the best example, just the first thing I found in Google http://www.zdnet.com/article/nebuad-isps-named-in-class-acti... they settled for 2.4 million. https://en.wikipedia.org/wiki/NebuAd#Class_action_lawsuit
I'm not going to waste my Friday night looking up old lawsuits to save a few HN reputation points. But I can tell you, I remember first reading about this stuff ~1999 when ISPs wanted to get their content in front of the Internet, but I don't remember the exact details. I've been following Boardwatch, WIRED, Techdirt, Digg, Slashdot, TechMeme and TechCrunch since then and consider myself relatively informed. I thought we were beyond this by now, 15 years later, but apparently I was wrong!
Sounds like a rare fridge case. Not a "DEFAULT" scenario. If you disagree, you sound really paranoid.
I'm only asking why it should be the "default" for the entire Internet? This is not a good argument to make it the default.
I'm not against https at all.
Also, you just don't have a clue who is watching your traffic and what they are using it for, and machines are only getting more powerful, enabling ever more advanced analysis of your communication (think of someone intelligent, with a brain, watching everything you do, or rather watching everything everyone does, but with sufficient intelligence to pay as much attention to you as a single person could watching a single person - that's probably not an accurate model (yet), but still probably closer than what you imagined). Imagine a representative from your internet provider or the government ringing at your door - if you wouldn't let them in to sit next to you/follow you whereever you go around the clock, you probably would also prefer encrypted communication if you understood what one can do with your internet traffic.
Well there is very little cost for what it offers. It takes developers a few days or more likely now a few hours to setup and only serves the viewer better. It affords the visitor some level of trust that the site hasn't been tampered with and their login credentials aren't being siphoned off for example.
If you are the author of a blog (with comments disabled), and you don't care if your message is manipulated, then thats your choice. But before you know it vanilla http will be blocked in browsers, and you'll need to make the change anyway.
The most advertised gain from using TLS is security, but to me an equally important gain is not having to deal with broken middleboxes.
Introduce arbitrary code and data for your User Agent to execute and decode.
This can be something as simple as data alteration to mislead the target or disrupt his communications. However, if the attacker has some Sweet 0-Day Sploit, (or some old-and-busted 'sploit that works on the target's old-and-busted User Agent) they can MitM any HTTP session and use that sploit to do $SOMETHING_NEFARIOUS.
This isn't theoretical. The NSA slides spoke of active attacks against older versions of Firefox shipped in the Tor Browser Bundle. Similar attacks making use of WebRTC to leak data were proposed and fixed, posthaste.
An additional benefit of HTTPS is the reduction of metadata provided to passive attackers. (HTTPS sessions encrypt the names of the resources requested from the remote server. There are still ways to get an idea of what's being requested, but all an adversary knows for sure is that you're talking HTTPS to a particular web server.)
One way that it is advantageous for clients if they can afford it is that it stops e.g. isps from inserting ads into webpages, which is good.
If a client can't afford to use the https, they can opt out I would think?