[mseebach]

The GitHub solution seems reasonable: Use HTTPS for writes and truly sensitive stuff, and unencrypted for the rest. CDNs aren't a problem since your write-requests won't have any external resources on them (they'll just redirect back to HTTP). Then the HTTPS could even be handled on a third-party gateway provider (yes, then there's a weak spot between your servers and the third party, but that's much harder to penetrate than the wifi at Starbucks.).

Your read-only session might still be high-jacked, but that's relatively low impact, (since someone could simply sniff what you're reading anyway).