[Maxnuf]

In the original Dutch article (https://decorrespondent.nl/845/Dit-geef-je-allemaal-prijs-al...) the author explained in the comments that they used SSLstrip for facebook and live.com So, the connection was over HTTP and not HTTPS. They added a padlock favicon.ico image to give the impression the site was secure

[k_bx]

Ah. I wonder how hard would it be to extend protocol to let Facebook, for example, state that they will never go https again, so that browser would scream.

[Quentangle]

If you meant to say "never go http again", then the protocol for that already exists.

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

https://plus.google.com/+JoshuaBerg/posts/YrdsMzYzotr

https://hstspreload.appspot.com/

[k_bx]

That is cool, thank you!

[DasIch]

Isn't this exactly what HSTS is for?