You would think that by now the Internet would have grown up enough that things like online banking, email, or government websites would rely on thoroughly engineered security to make sure your data isn’t intercepted by attackers. Unfortunately when it comes to the vast majority of websites on the Internet, that assumption would be dead wrong.
Why is lack of HSTS even an issue? To see what could go wrong, imagine the following common scenario. You’re in a coffee shop and you want to check your bank account. You pop open your laptop, connect to the free wifi, load up your web browser, and type in your bank’s URL. No security alerts pop up when you load the page, and there’s even a padlock icon next to the address, so you go ahead and login. Unfortunately, you could very well have just sent your login information to a potential attacker.
The way the attack worked is as follows. When your browser first tried to contact the bank’s server and load its homepage via HTTP, the attacker intercepted the request to connect and prevented it from getting there (perhaps by having his laptop pretend to be that free wifi hot-spot). He then sent your request to the bank’s server himself. When he got the response back (i.e. the webpage to load, the images to display, etc.) he stripped out any links that would initiate a secure HTTPS connection, modified the page so that it would show the padlock icon next to the address (by setting a padlock as the favicon), and sent it back to your laptop. Of course these kinds of attacks have been automated. The result is a page that looks identical in your web browser—the only difference is that it’s not secured, and the attacker can read everything you send to the server and everything that gets sent back. (more at link)
One more reason not to do anything more than look at cute cat videos in the coffee shop