OK, the source & destination IP will be known by the "bad guys", but everything else is encrypted. The old excuse of "it takes too much CPU" was valid...back in the 1990s, but no longer. C'mon people! HTTPS *everywhere*!
not very likely, taking into account that browsers have been waging war against self-signed/free certificates for a while and the "warnings" are getting worse with every release (I, a geek, had a hard time finding the tiny "add an exception" in Firesloth^H^H^H^H^Hfox 3, and found it impossible to explain over the phone how to do it to someone not so computer literate)