[krn]

The user can just be redirected to another similar looking site with a valid TLS certificate.

[tedunangst]

How?

[ktta]

https://gmail.com.inbox-redirect.pro

This will seem like a valid website, especially if the phishing site is done well. Not just non-technical users, I'd wager some tech familiar users would be fooled too.

The focus always being on the lock icon might not always cover it.

Safari will prevent this though.

[aaron_m04]

Isn't that why browsers visually distinguish the TLD and the part before it from the rest of the URL?

[krn]

SSL/TLS downgrade attack when HSTS is not enabled.