> If you don't type the https url, you start by visiting the http website. Normally the http version will redirect to https, but a man in the middle can easily prevent this.
This is not entirely correct. HSTS[0] was designed to protect against such attacks.
It's true, however, that not every browser out there supports it yet, and you must visit the website at least once without MITM for the server to successfully communicate HSTS header. (In Chrome certain domains are included in built-in list[1], though.)