Lukewarm take:
When I see general* "security advice" that mentions "do not use public WiFi" or "use a VPN", I am immediately suspicious about all other advice offered.
Yes, a decade ago that was a consideration, because most sites were not using HTTPS. Credentials were flying cleartext on the wire.
Today, almost all sites use HTTPS. Doesn't mean the risk is zero, but it's way lower.
*) "general" meaning "without a very specific threat model in mind", meant for general public, etc.
Actually, downgraded that take to "lukewarm", it should really not be controversial at all these days. It's been a hot minute since LetsEncrypt changed the HTTPS landscape!
What is beyond me is that such "security advice" still gets pushed. 
Also, shout-out to @letsencrypt for dramatically changing the security landscape of the Web for the better over the years.
Rarely is there an example of a project so effective and so directly improving everyone's lives, while at the same time keeping the original engineering mindset and just Doing Stuff Right™ humbly in the background.
Next November it will have been exactly a decade since LE started. We all owe them a huge 10th birthday party.
@rysiek And other people just say this was Google enforcing TLS security with HTTPS on the web.
There are legitimate applications on the web, that don't need TLS to work, which are perfectly fine for the creative commons, e.g..
And that it's not clear why a web page requested via HTTP should be marked as insecure in the UI, if it will not receive any particularly sensitive information.
That Let's Encrypt was a heist to further enclose the open web.
It was a revelation for some, not all.
Michał "rysiek" Woźniak · 🇺🇦
jon r
Max Harmony