[coderrr]

Looks like app.net isn't perfect either. Their HSTS isn't implemented correctly. Only 'alpha.app.net' and 'join.app.net' are protected while 'app.net' is not. They fell into one of the common pitfalls with their http->https redirects: http://coderrr.wordpress.com/2010/12/27/canonical-redirect-p... You can verify this at: chrome://net-internals/#hsts