>most of the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at the airport?
What percentage of (typically rushed) people at an airport will notice that a website is loading over http instead of https? SSLsplit is pretty useful.
My bank doesn't _and_ there's a redirect to a different domain (rbs.co.uk homepage does to personal.rbs.co.uk, rbs.co.uk/englandandwales or the login link goes to rbsdigital.com). Serve a redirect on the non-HTTPS rbs.co.uk to some other plausible domain with a valid HTTPS certificate, and I probably wouldn't notice.
Last time I checked, about 2 years ago, none of the Swedish banks used HSTS. And a couple of them used HTTP on their main page and and HTTPS on their internet bank which was put on some weird domain. Chrome's changes has since then forced them to move everything to HTTPS but I would be very surprised if they all use HSTS now.
What percentage of (typically rushed) people at an airport will notice that a website is loading over http instead of https? SSLsplit is pretty useful.