[giancarlostoro]

That sounds like altering existing content by adding new content btw.

[nitrogen]

Yes, a MITM can do that.

[jessaustin]

And could still do the exact same thing if they had TLS: get the page, add crap, and serve the result (albeit without TLS).

[3pt14159]

You know, I've never really realized that before. It's actually a pretty huge security hole for average users, no? There should be a way to explicitly forbid non-encrypted connections on a DNS level.

[lfowles]

That's roughly the purpose of HSTS, but you need to have visited the site at least once first (or in the case of popular sites, HSTS status of a site is shipped with the browser.)

[schoen]

People who are encountering this for the first time might want to look at

http://www.thoughtcrime.org/software/sslstrip/

for some of the motivation!

[vacri]

A technical user could reasonably be expected to look for https before downloading 'preview build' or something equally payload-ey.

Then sigh and download PuTTY anyway...