Comment by chunkiestbacon

The real problem here is that http is unencrypted by default. It really should be encrypted so that passive listeners can't see the traffic. I know that this is no protection against man in the middle attacks, but at least WiFi sniffers and similiar would be stopped. State Actors would have to actively do something which might be registered. It would be a great improvement, because in the current system, most websites are going to stay unencrypted because it takes money and effort to set up a certificate. The millions of shared hosters won't do it by default.

What we can do: - Change the http protocol to be encrypted? - create an apache module that automatically does this and needs no setup time (generate private keys automatically?)

Of course there shouldn't be any indicator of this encryption in the adress bar of the browser.

Maybe it's too late.