So, even with a VPN, you are still going through the Stingray.

But you can establish a point-to-point secured connection tunnel with the VPN.

Then the VPN goes to the non-SSL website, and gets the html in plain text.

But, if there are compromised routers between the VPN and the website, then you can still be MITM attacked.

Hmm.. a determined foe can still checkmate you, for visiting a non-SSL website, even over VPN.

The adversary in this case is the local (Moroccan) government, so using a VPN would have likely saved him, as long as he chose one with an exit in a different country (one unlikely to cooperate with his own, obviously).

If the insecure website itself is in Morocco then he's hosed either way, whether the website is behind SSL or not.