How do you redirect to the phishing site, if you are currently browsing an SSL encrypted website without making it to obvious? Since you get an error message in the browser...
That is correct. However it's trivial for a MiTM attacker to perform an SSL stripping attacks when the victim is communicating with sites that support plain HTTP.
Hmm, if you can control the plaintext network isn't there an NTP attack to reverse time and use old compromisable certificates or move it forward past hsts max age?