Kind of makes you wonder why there's not rudimentary encryption included in HTTP, if everyone is going to have to go to using a CA signed public/private key certificate.
Keep in mind, you can't issue a CA signed certificate immediately. There's always going to be lag time between when a website is resolving to a server and when the CA issues a certificate. 1) It takes time for nameserver changes to take affect and 2) it takes time for the CA to process and issue a certificate.
A lot of this could be solved with self-signed certificates. But no... self-signed certificates were vilified several years ago.
If you buy a domain name and hosting right now, this minute, it will still take several minutes for a CA certificate to be issued for the domain name. And for the most part, cPanel's AutoSSL won't issue a certificate until the night following the domain name being set up.
A self-signed certificate can be set up immediately, because it's not signed by any 3rd party. Sure it risks MITM attacks, but it provides instant encryption.
So why were self-signed certificates vilified so many years ago?
Why not a small browser message: "This site is using a self-signed certificate" and "This site is using a CA signed certificate" and "This site is using an EV certificate (see pretty green address bar and everything)" This would essentially make non HTTPS traffic obsolete.
I think HTTP should be removed if it doesn't give any benefits for users any more.
I also want to know how many percentage of websites are using HTTP and How many for HTTPS. Does anyone share this info?
I think That must be very long time, for many years to decades. All the websites in the world can not upgrade https as easy like clapping hands. Until http is useless - no benefit as @Maxoq mentioned - they will not use it anymore. I definitely agree with his opinion.
The HTTPS Everywhere extension was perhaps created for this reason, at least partially. It forces HTTP websites to use HTTPS, but I find that it breaks sites. I believe in encryption as much as possible, although there seem to be cautions against it probably because it might be more work than what it pays off.
I think we need to use it for certain types of sites, and I don't mean banking sites. That's another security discussion entirely.
Anywhere personal details are entered and personal communications take place would be a good starting point to have the minimum level of encryption. I'm not just worried about the secure connection, I'm also worried about other ways and points at which the data can be compromised.
I don't want to get off topic too much, so to answer I feel that it's not a matter of should every website be HTTPS as much as it a matter of when that will be the norm.