Clever websites use https for authentication only, and not to run the full application within https.
However those same "clever websites" should also use https for exchanging personal data, such as gathering your name and email address, changes to your profile etc. In the case of email - isn't all of it personal to you? Do you really want to be reading password reset details that have arrived in your inbox without https? Without https it would be possible for someone to engineer a password reset for you and then monitor your email as it arrives. Also lots of other confidential data may be sent via email. Admittedly the mail has probably been transported in the clear before it arrived at your mailbox, but that doesn't mean you shouldn't do your part.
Variables don't; constants aren't.