[kevinsimper]

You would have to trust a root certificates from your mitm attacker, so it is not a problem.

[andreareina]

I know someone who got caught out by this. Bank's front page was http, so the attackers mitm'ed that. Ebanking link was swapped out for an https page they controlled, allowing the credentials to be harvested before redirecting to the bank.

[iso1631]

Block outgoing connections on port 443. MITM anything on port 80 which forwards to the server on port 443.

Your browser then loads www.whatever.com as http, even if the server doesn't allow http.

HSTS means if you've been to www.whatever.com before you'll be blocked. If you've never been before that doesn't help though.

In that fashion, typing www.mybank.com could redirect you to http://www.mybank.com (mitm) then to https://www.mybank.com-login.com/, where you get a green padlock.

[resoluteteeth]

When you first access a site, unless the site is using HSTS you are going to go to an insecure version so a mitm can proxy the request and remove tls or redirect you to another site. This is what is known as "https stripping."

[zzzcpan]

You are talking about "HSTS Preload", HSTS doesn't do anything on first access.

[acdha]

HSTS helps unless you are always on compromised networks or the site uses short TTLs. Even without preloading most people are probably not accessing their bank for the first time ever on a malicious network.