I remember discovering Moxie Marlinspike talking about this issue 9 years ago and he described this attack as "deadly".<p>And it really is. In essence, a man in the middle converts all https links to http and proxies out the traffic. A victim would need to notice the missing https in the the url to detect this.<p>HSTS and https-everywhere browser plugin partially solves the problem.<p>I think the only viable solution is for all http traffic to be encrypted and to consider non-encrypted traffic suspect.