http://www.troyhunt.com/2013/05/your-login-form-posts-to-https-but-you.html
My question is, if the threat is that someone controls your internet connection and can serve up bad login pages, couldn't the attacker just serve you a page like facebook.com
instead of https://www.facebook.com
?
Many sites just have a 301 redirect to their secure site, so I don't see what prevents an attacker from taking advantage of the victim who types in facebook.com
and then serving up that page with a fake login form. Is the idea that the user would notice that there's no lock in the upper left corner?
I'm definitely not the expert in this, so I'm asking to just further my knowledge; I'm not trying to disprove anyone and just want to understand security better.