"But can you spoof the browser detecting a secure connection and then turning the page tab bright green?"
The important part of what Marlinspike showed is that you don't have to. He ran his setup on a Tor exit node, the users of which are presumably more security minded than the rest of the general population, and not a single user balked at the lack of positive feedback.
The important part of what Marlinspike showed is that you don't have to. He ran his setup on a Tor exit node, the users of which are presumably more security minded than the rest of the general population, and not a single user balked at the lack of positive feedback.
HSTS is a real solution, but not a scalable one.