I know someone who got caught out by this. Bank's front page was http, so the attackers mitm'ed that. Ebanking link was swapped out for an https page they controlled, allowing the credentials to be harvested before redirecting to the bank.
When you first access a site, unless the site is using HSTS you are going to go to an insecure version so a mitm can proxy the request and remove tls or redirect you to another site. This is what is known as "https stripping."
andreareina|6 years ago
iso1631|6 years ago
Your browser then loads www.whatever.com as http, even if the server doesn't allow http.
HSTS means if you've been to www.whatever.com before you'll be blocked. If you've never been before that doesn't help though.
In that fashion, typing www.mybank.com could redirect you to http://www.mybank.com (mitm) then to https://www.mybank.com-login.com/, where you get a green padlock.
resoluteteeth|6 years ago
zzzcpan|6 years ago