The need for TLS is less in purely information websites, but there are a number of problems with this attitude. For one thing, the content of the pages you visit still leaks information about a user, even if the page isn't customized per user.
Second, authenticated, trustworthy SSL connections provide MITM protection and prevents modification of the content you receive - the transition from HTTP to HTTPS is generally going to be vulnerable to an sslstrip-like attack, homoglyph attacks, etc, plus content could be modified maliciously in transit directly over an HTTP connection (a less drastic form of this sort of thing has happened many times with ISPs adding in tracking cookies in transit, or comcast adding some javascript to pages when you get close to your bandwidth limit).
In any case, the cost of all-TLS is really not so high that you can't enable it just for edge cases who want or need to use secure connections for all internet communication.
On the other hand, what's the problem in using TLS for cases you don't think it useful ? I can see a few reasons here, but I don't see any of them being enough not to use TLS everywhere:
- TLS is expensive: my gut says it's wrong, but I'd love to see some numbers. Ilya Grigorik [0] has done some experiments here, and I don't see TLS as really bad
- TLS is complicated: true, and we have to rely on tried and tested implementations. I'd say you'd need to do it whatever security we use (and we want security, right?)
- TLS requires certificates from the flawed CA infrastructure we have: wrong, public-key authentication isn't even the only authentication scheme possible with TLS, it's just the first one we think about (and also the most tested one).
Those two reasons are enough to me. The web is supposed to be for everyone. A small restaurant that just has directions and a menu on their website shouldn't have to deal with the headache of setting up HTTPS.
1) There are regimes that would lock you up (or worse) for looking at some "purely informational" sites.
2) Defaults matter and developers make mistakes. Without required TLS many sites that should be encrypted won't be (they forgot, the site grew into something it didn't used to be, they had no idea what TLS was, etc)
Ruining the web in order to prevent any possibility of bad things happening is something I'm firmly against. I have several small blogs and websites that I absolutely would not bother with if I had to pay for and set up https on each.
