User generated content sites are some of the most important that need to implement HTTPS.
Consider reddit for example. The entire site is HTTP. That means your ISP can pull up a list of your entire reddit browsing history. They can see every post you read, every comment you wrote, etc. Collectively this data could form quite an accurate picture of a person's mental makeup. Is that the kind of data you want floating around?
HTTPS encrypts query strings so upstream providers cannot see which specific pages you browse.
Of course, HTTPS still shows domain names... but it's a start. Next step is DNSSEC for everybody!
p.s. Anyone interested going down the rabbithole exploring mass tracking of individuals, should google "entity mapping llc" and poke around the results...
from what I remember reading is that when they first started with HTTPS, they weren't able to easily deal with the added overhead. They switched to cloudflare and are working on rolling out HTTPS across the site. One of the changes involves removing the reddit bar.
You can allow your copy of HTTPS Everywhere to send us certs, which can help researchers understand what CAs are doing and potentially detect misissued certs.
Two other important mechanisms are Certificate Transparency and HPKP.
The former is a way -- I hope! -- to eventually require the open publication of all issued certs that the public is expected to trust. The latter is a way for sites that you successfully connect to at one point to prevent other CAs that they don't have any relationship with from helping to MITM your future connections.
For the answer to what SSL has to do with certificates in the trust store, the best demonstration is by example. Try to setup mitmproxy on EC2 to MITM your own HTTPS connections. In order to do so, you will need to install a trusted root certificate on your device.
Consider reddit for example. The entire site is HTTP. That means your ISP can pull up a list of your entire reddit browsing history. They can see every post you read, every comment you wrote, etc. Collectively this data could form quite an accurate picture of a person's mental makeup. Is that the kind of data you want floating around?
HTTPS encrypts query strings so upstream providers cannot see which specific pages you browse.
Of course, HTTPS still shows domain names... but it's a start. Next step is DNSSEC for everybody!
p.s. Anyone interested going down the rabbithole exploring mass tracking of individuals, should google "entity mapping llc" and poke around the results...