I guess it's because those sites have content that are largely public anyway. That is, you don't have to login to consume their content. They still would redirect to https when you do sensitive things like logging in or changing your profile.

Content driven sites don't need to face any problems with SSL. Even major CDNs have https URLs nowadays. I don't see any reason at all not to use SSL for a web application today. It's just that a lot of sites started before SSL became commonplace and they haven't moved to encrypt the whole site yet.

I believe Jeff Atwood (stackoverflow.com's founder) would have made stackoverflow.com https by default if he started it today. You can read his thoughts on this matter here - blog.codinghorror.com/should-all-web-traffic-be-e…

Just checked .. Quora does redirect to https by default.

I think the spirit of this question refers to web apps as websites but it could be a service that is available over http. Here are some other reasons (if you consider any app over http a web app):

• You may not use SSL because you want to interact with your web app via curl. Curl with ssl is doable but kind of a pain in the butt in my experience.

• Another reason might be performance. Perhaps this service lives in a secure network and you'd rather avoid the SSL handshake latency.

An example of these cases would be running Elasticsearch in AWS which is queried by another service (your actual website) also running in AWS.

I've never noticed that, I'm using the HTTPSEverywhere plugin, so it's always been HTTPS for me. I reckon since everything on the site is already public, there would be very little incentive to hijack somebody's session - the gain from it would be minimal unlike somebody that processes sensitive data.