[emily37]

I think Strict Transport Security does more or less exactly what you're asking for: http://tools.ietf.org/html/draft-ietf-websec-strict-transpor....

But besides that, as I understand it, this attack doesn't require an HTTP request to the victim site; it only requires an HTTP request to any site, followed by an HTTPS request to the victim site, so STS wouldn't be much help here unless all websites turn on SSL and adopt STS. (Though someone should correct me if I'm wrong.)

[peterwwillis]

This vulnerability works by injecting HTML and JS purporting to be from a plaintext version of the site being attacked. In other words, the browser has to accept non-SSL pages from the domain. If your browser just threw away all unencrypted requests for the domain this would never work. Neither would sslstrip or a handful of other tools; the improper handling of SSL certs would have an impact, however.

I could have read that draft wrong but it looks like it depends on headers from the victim site to determine if all traffic should be encrypted. MitM would defeat this.