You are right, all your Reddit traffic should be encrypted, but the reason is not because it's a vulnerability, it's because you have a personal expectation of privacy, which is different from an unexpected or undesired incident in their information system.
Let's not forget that from Reddit's point of view, the browsing of the public content is not confidential, hence no need to hide it. Only your credentials are confidential, hence their transmission is configured to happen through a secure channel by default (if you're lucky). As long as it matches their security policy, it is not a vulnerability, per say. The vulnerability here is that Reddit 1) accepts authentication events sent through HTTP and that 2) Reddit keeps considering accounts as reliable after a successful HTTP authentication. We could also argue on the quite insignificant consequences of your Reddit account being hacked (for most users) in opposition to the disclosure of a password that you have not used anywhere else (isn't it?).
As a user, you believe that the Reddit pages you browse should be private, which led you to conclude Reddit is flawed. I agree that Reddit users' traffic should be kept private. But, we are still in an era where information security is defined by the expectations of corporations, not those of customers/users. The total cost induced by the fact that anyone on the same network as you can see your Reddit traffic remains lower than improving the security of the platform.
If you want Reddit to consider this as a "vulnerability", you need to either convince lots of users to stop using Reddit until they fix this (traffic volume pressure) or convince loud people to start shaming their owners on large audience news sites (shame pressure). These two strategies are the only ones that work, to my knowledge. As long as their business keeps running and there is no shamming, they don't have any real incentive to pull the source code and fix this: it's not a major security vulnerability. (the fact that browsers overwrite https cookies from http responses is a major one, though...)
I consider them vulnerable. As a test I successfully hijacked a Reddit identity using nothing but tcpdump on my router. Leaking credential information is a form of vulnerability. Just because lots of people do this does not make it less vulnerable.
Even if Reddit allowed you to log in via HTTPS only and kept your session cookie secure, but let you browse anonymously over HTTP, they'd still be leaking info about what you are browsing, as you said. I agree, this is a problem for the user. Say, the user is looking at topics about maternity leave while her boss doesn't know she is pregnant. What can the boss do with this info? Or say the user is looking into methadone clinic experiences at work?
Browsing over HTTP also lets an attacker inject content. Ads are the obvious and somewhat innocuous case, but think about the phishing opportunities here. "Please log in to proceed" with a form that submits the password to the attacker.
You are right they won't change until either their users start complaining, or something really bad happens as a result of this negligence, but I am simply using them as an example of a pretty widespread issue. Lots of sites do this and it's very unfortunate.
Let's not forget that from Reddit's point of view, the browsing of the public content is not confidential, hence no need to hide it. Only your credentials are confidential, hence their transmission is configured to happen through a secure channel by default (if you're lucky). As long as it matches their security policy, it is not a vulnerability, per say. The vulnerability here is that Reddit 1) accepts authentication events sent through HTTP and that 2) Reddit keeps considering accounts as reliable after a successful HTTP authentication. We could also argue on the quite insignificant consequences of your Reddit account being hacked (for most users) in opposition to the disclosure of a password that you have not used anywhere else (isn't it?).
As a user, you believe that the Reddit pages you browse should be private, which led you to conclude Reddit is flawed. I agree that Reddit users' traffic should be kept private. But, we are still in an era where information security is defined by the expectations of corporations, not those of customers/users. The total cost induced by the fact that anyone on the same network as you can see your Reddit traffic remains lower than improving the security of the platform.
If you want Reddit to consider this as a "vulnerability", you need to either convince lots of users to stop using Reddit until they fix this (traffic volume pressure) or convince loud people to start shaming their owners on large audience news sites (shame pressure). These two strategies are the only ones that work, to my knowledge. As long as their business keeps running and there is no shamming, they don't have any real incentive to pull the source code and fix this: it's not a major security vulnerability. (the fact that browsers overwrite https cookies from http responses is a major one, though...)