As it is right now, when you browse to your favorite website, your web browser attempts to connect insecurely first and then, if told to, it will try again securely. I suspect this will change one day soon and the sooner the better.
Most websites that you visit today will automatically redirect you from “http://” to the secure “https://” method of communications. Notice the “s” meaning it’s secured. The redirection is a good thing but the insecure default is bad.
We want everything to happen securely because we want to know that from the time we start surfing the web until the time we finish, our communications (search terms, etc) are hidden from those who could intercept those messages and use them against us. Remember, on the net, you are the product.
The default of “http://” is how it has always been and it works fine for the most part. However, it lacks all the goodness that “https://” (secure) gives us. The secure method does two important things; a) it ensures that communications between your web browser and the target server (say, your bank) is private and it ensures that the target server is who they say they are.
I’m not going to use this post to demonstrate how a hacker exploits this vulnerability (using insecure before secure) but i simply want to make a point that if secure is good as an alternative to insecure, it should be considered as the default and perhaps make insecure the secondary option.
If you do want to know how a hacker can use this vulnerability against you, consider a hacker running a DHCP service on their laptop while joined to a coffee-shop WIFI network. The hackers controls the DNS server and can send you (your web browser) to any server including one they control and show you content that your web browser shows. No security, no certificates, no warnings.