pull down to refresh

Example: Evil-twin Attack to be launched on unsuspecting victim on a public network:
  1. Attacker sets up Network with the same ssid as you want to connect to.
  2. You are now connected tho the bad actor, and he is routing your traffic. He can spoof your DNS, unless you have taken precautions.
  3. you look up 'facebook.com' he reroutes you to 'façebook.com'. He also got his tls certificate for his domain to look legit.
  4. He serves you a login screen that looks just like the original one. you type in your credentials.
  5. he redirects your request to Facebook, logs you in, and steals your PW in the process
  6. you never know what hit you
There are more attacks, Man in the middle, DNS spoofing etc.
By using a vpn, the encrypted is connection made from your device to a secure network, and the requests are made from there, and sent back to you through a secure channel.
Https might encrypt the content, but it won't save you from spoofed DNS and the like
it cannot be done easily
it is definitely harder due to https, but I'd say it is still pretty easy
I'm hating on the article a little bit, because people are already lazy about security, and things like this give an even more false sense of safety. It's still good that https is used as much as it is now, but it's not a silver bullet.
Also: see the link @cryprocoin posted