[talklittle]

> You can try an Ajax request or loading a picture over SSL and then redirect with JS if it doesn't fail.

Neat idea, but wouldn't this still be exposed to ISP-level attacks? Since the user is still loading the page initially in plain HTTP, so the ISP could still inject code, remove the JS redirect, etc.

[icebraining]

Yes, no redirect can protect the user from that. In fact, not even completely disabling HTTP can - the ISP can respond on port 80 anyway. But it can protect them if they open it on a safe connection and then bookmark the page, or keep the tab open, or send the link to someone else, and then use that link on an unsafe connection.

[finnn]

Or using HSTS (especially with HSTS preloading)