Especially point 4 («Not having your content modified by carriers») is getting more and more important these days. Whenever I hear people saying that they don't need https as they are providing a strictly read-only experience I always wonder what they will say as their ads get replaced with other ads by carriers and other "transparent" proxies in between.
And if your site is only moderately complex and using some of the more advanced HTTP features (pipelining, websockets or plain long polling), you might be better off using SSL too because by now the likelyhood of any of this working unhindered by various "security" and "traffic optimization" tools is approaching zero very quickly.
On the other hand, I wonder how long it's going to take before carriers and providers in general mandate the installation of a root cert "for your security" in order to be able to continue messing with the traffic to insert ads or "increase security".
To reiterate your point. I've used free/complimentary wifi that overlays ads (specifically: megabus wifi). It is awful and even made some sites difficult to use. My solution at the time was to use a VPN, but it would have been nice if I didn't have to resort to that.
>> the likelyhood of any of this working unhindered by various "security" and "traffic optimization" tools is approaching zero very quickly.
Except that anti-virus software is now man-in-the-middling HTTPS, and it is considered "normal". All the security of HTTPS being thrown away for the sake of scanning all transfers.
If it's happening locally (likely) and if it's handling certificate validation correctly (way less likely), then there's no difference connection-security-wise between the AV tool running or not running.
Of course, AV tool will still mess with your connections and break them in interesting ways, but that has been true since the beginning of AV and in case of local AV you can at least ask to user to try and turn it off. If it works then, you can blame the AV software.
If you have a proxy server which does, for example, duplicate some POST requests, accountability is much harder und you will probably have to resort to adding workarounds for the issue (this has happened to me).
What do we do about censorship? When countries block all foreign HTTPS?
It really feels like websites should know what transport they're operating on (secure vs unsecure) and present what information they can reasonably with unsecure. Though turning every website into a "modal" thing is also a pretty high order.
And if your site is only moderately complex and using some of the more advanced HTTP features (pipelining, websockets or plain long polling), you might be better off using SSL too because by now the likelyhood of any of this working unhindered by various "security" and "traffic optimization" tools is approaching zero very quickly.
On the other hand, I wonder how long it's going to take before carriers and providers in general mandate the installation of a root cert "for your security" in order to be able to continue messing with the traffic to insert ads or "increase security".