Why is HTTP data sent in clear text over password-protected Wifi?
I mean, my WiFi is protected, so all the communication should be encrypted, right?
It is, but not at the place you're reading it. Encryption happens at a certain point in the "pipeline", and decryption then must also happen at a certain point in the "pipeline" (otherwise the data are useless). You are observing the data after they have been decrypted, which would not be possible if you were using HTTPS (which instead provides end-to-end encryption, which starts at the server and ends at the browser).
If you attempted to use Wireshark to capture the contents of an HTTPS transaction, it'd be like this:
+--------+ (encrypted) +----------+ (encrypted) +--------+
| Server | ----------->| Internet |------------>| Router |
+--------+ +----------+ +--------+
|
| (encrypted)
+------------------+---+
| Your PC | |
| +-----------+ (e)| |
| | Browser |<---+ |
| +-----------+ | |
| +-----------+ (e)| |
| | Wireshark |<---/ |
| +-----------+ |
+----------------------+
Here, your browser knows how to decrypt the data, because it "owns" the HTTPS transaction in the first place; your Wireshark instance (which, per the very purpose of end-to-end encryption, is treated just like any other snooper in this scenario) does not.
But your wireless encryption starts at the router and ends at the PC's network card, so the result for you is more like this:
+--------+ (plaintext) +----------+ (plaintext) +--------+
| Server | ----------->| Internet |------------>| Router |
+--------+ +----------+ +--------+
|
| (encrypted)
+------------------+---+
| Your PC | |
| +-----------+ (p)| |
| | Browser |<---+ |
| +-----------+ | |
| +-----------+ (p)| |
| | Wireshark |<---/ |
| +-----------+ |
+----------------------+
Here, anything on your PC can read the data, because they were decrypted by your network card. Otherwise, what application would decrypt the data? Nothing would work.
There is almost no relationship between HTTPS and WPA2-PSK; they do completely different jobs.
Using a router with WPA2-PSK (or any other network encryption algorithm), does not mean all sites are forced to use https. It means that that the unencrypted traffic is not visible to those who are not connected to the network.
Consider HTTPS as a relationship between your browser and the website.
Consider WPA2-PSK as the relationship between your device and your access point.
When you run Wireshark on a computer, you're capturing the traffic that the computer can "see".
If you run Wireshark while browsing HTTP websites, the computer "sees" data in clear text, because the Wi-Fi encryption occurs at the router/access point level, which is known as "link layer".
If, on the other hand, you run Wireshark while browsing HTTPS websites, Wireshark "sees" encrypted data, even if you're not using Wi-Fi encryption, because HTTPS encryption (SSL/TLS) occurs at the browser level or, more precisely, at the "application layer".
Think this way.
An access point allows several devices to connect to the Internet. Without any kind of encryption, any device (whether inside or outside the wireless network) would be able to "see" traffic in clear text from and to any device connected to the network. Wi-Fi encryption prevents devices outside the network from seeing your traffic (that's what the passphrase is used for) and prevents devices inside the network from spying on each other (simplifying a bit, data are encrypted with different keys for each device). Therefore, if Alice and Bob are connected to the access point AP, not only Eve (who is outside the network) cannot see the traffic related to Alice and Bob, but Bob cannot see what Alice is doing, and viceversa.
However, the owner of the Wi-Fi network can easily see what Alice and Bob are doing.
The analogy
Think about encryption (for the moment) as a series of tubes, and about data as letters sent through those tubes.
The wireless network is a huge room where you can read, write, and transmit messages, since it also includes a post office (access point).
The post office allows your letters to be sent to somebody using another box, perhaps on the other part of the world. It does so by checking the address written on the letter and sending to it.
If Wi-Fi encryption is used, the room is locked and every user has a distinct tube, through which he can send and receive messages.
The Internet is everything which is outside of the huge room. Alice and Bob are inside the room, Eve is outside of it.
Disclaimer: for the sake of brevity, talk=write and read in this context
1) If the room wasn't locked, without tubes, and you were sending clear text postcards (no Wi-Fi encryption, no HTTPS), you would have a working post office (correctly sending and receiving letters), but a very insecure one. Alice could grab the letters sent by Bob, and viceversa. In addition, anyone could enter the post office and grab any letter. In other words, it would be a huge mess.
2) Wi-Fi encryption, no HTTPS corresponds to a locked room using one tube per person, so that Alice cannot grab the letters sent or received by Bob. Clearly, Eve who's not even in the room, can't see anything. However, those letters are clear text postcards, meaning that the content is not encrypted. This means that the post office can see everything you send and receive.
Now, you may not like this. Why should the post office be able to read your messages if they only need to dispatch them? You then agree with the people you're communicating with, and decide to write coded or encrypted postcards. For example, HI MIKE would become FJSDJHDNFSJ.
This way, the post office cannot understand what you and your friends are talking about.
3) A system involving encrypted cards and an unlocked room with no distinct tubes is similar to no Wi-Fi encryption, but HTTPS. So the post office doesn't know what you're writing and reading, and Eve (who is outside of the locked room, but can see your letters as they exit the room) can collect or copy your messages but cannot understand them. Everything is fine, right? Well, no. Bob, Eve, and other people (both inside and outside of the network) can still see who you're talking to.
4) If the system involves a locked room with distinct tubes and encrypted postcards, it's similar to Wi-Fi encryption + HTTPS, which is pretty nice. No one knows what you're talking about, and only the post office knows who you're talking to.
TL;DR. HTTP on password-protected Wi-Fi allows you and the access point owner to read your traffic, even if other people on the same network can't.
HTTPS on password-protected Wi-Fi means that only you can read your traffic, and only the access point owner knows which websites you're visiting.
As an aside, if you don't want the AP owner to know which websites you're visiting, you should use other solutions, including VPNs and Tor.