EFF: “Way back in 2010, we launched our popular browser extension HTTPS Everywhere as part of our effort to encrypt the web. At the time, the need for HTTPS Everywhere to protect browsing sessions was as obvious as the threats were ever-present. The threats may not be as clear now, but HTTPS Everywhere is still as important to users as ever. In 2010, HTTPS Everywhere was a novel extension. It allowed users to automatically use the secure version of websites that offered both insecure HTTP and secure, encrypted HTTPS. Sites such as Google had only recently exposed to users the option to search using HTTPS. Facebook had not yet allowed users to browse the site securely. The dangers of insecure browsing were demonstrated by the powerful browser extension Firesheep, which intercepted HTTP packets and allowed attackers on the same WiFi network as their victims to hijack browsing sessions when logged in to popular sites. Firesheep provided a simple point-and-click interface to perform this “session hijacking” attack – no need for terminal screens or complicated command-line tools. Tools with similar functionality had existed for a while, but anyone could install Firesheep with minimal effort.
Fast forward to 2018. HTTPS is more prevalent than ever, and continuing to take big strides. On July 24, Google announced that users of its Chrome browser would see HTTP sites labeled as “not secure.” And a Google transparency report shows that between 71% and 90% of page loads are over HTTPS as of December 2018. The vast majority of the top sites not only offer HTTPS, but automatically redirect to the HTTPS version of the site when you connect over HTTP. This has led a lot of people to ask a very good question: what’s the point of using HTTPS Everywhere anymore? Why should we use it when sites are already forwarding us to the secure version?…”