There is a big push for news organizations to adopt HTTPS, because it will make it harder for snoopers to observe what people are reading. In countries where information is seriously censored, this protection could save people from unpleasant consequences. Just how much privacy does HTTPS give us, though?
It gives us nothing if the government demands a site’s private SSL key, installs equipment to intercept communication, and orders the site not to tell anyone that it’s happened. After that, spies can get everything, including passwords and credit card numbers. This, of course, only happens in authoritarian countries like … well, the United States. That’s what the authorities tried to do to Lavabit. There are probably many more sites where the Feds have made similar demands and we haven’t heard.
Even when it hasn’t been compromised, TLS encryption doesn’t hide all information. (TLS is the correct name, and the name SSL properly belongs only to old versions, but everyone still talks about SSL.) Your IP address and the domain you’re trying to reach are still visible to anyone grabbing data long the way. That’s why using a proxy helps; only the proxy domain or IP address and not the one you’re visiting will be visible in cleartext.
Old versions of SSL (including all the ones that really are SSL) have security weaknesses. Their hashing algorithms aren’t strong enough to stand up to serious computing power. Not many sites depend on those versions any more, but a man-in-the-middle attack can trick a site into downgrading the version it uses. The POODLE attack uses this trick, taking advantage of backward compatibility.
Another danger is the installation of spyware on the client machine, causing it to treat bogus, unsigned SSL certificates as valid. Lenovo pulled this trick in 2014, shipping millions computers with “Superfish” spyware to its customers. People with infected computers saw Google search results modified and ads inserted into pages, even if they were using an allegedly secure connection. Superfish also opened a huge security hole that others could easily exploit. I have no idea why Lenovo is still in business after betraying its customers that way. I’d certainly never buy a computer from them.
This isn’t to say that HTTPS connections are worthless. Far from it. But if you’re seriously concerned about your privacy, they aren’t a guarantee by themselves.