HTTPS-Everywhere handshake check flaw
When someone visit website , and that website configured TLS to be useless and vulnerable to MITM (not checking if there is "Protocol Support" and "Cipher Strength") then this is real flaw of HTTPS-Everywhere to pass this as secure connection.
E.g to make this very clear:
This is an F website and allows MITM due to insecure renegotiation. But when you visit the website while HTTPS-Everwhere enabled it will not read it as insecure connection or even showing yellow sign that the connection is not encrypted (by the lock browser).
So whether this HTTPS-Everywhere flaw or TBB , something is wrong here.