This is the most common finding in penetration tests. Having HTTP running on any web service should be ranked as High because of how easy a MITM attack can be if they're on the same network. Using weaker encryption algorithms will have a rank of Low-Moderate because of how an adversary would need a MITM position and advanced tools to decrypt or get a hold of a session key.
