The site operator never told me to use plain http either. I just "randomly" ended up there by clicking on a link on HN that has no relation at all with the site.
If you expect http->https redirection to be the only valid path to a https site, then a MITM attacker would obviously disable that redirection because it's still done on the unsecure channel. This is the whole reason extensions like https everywhere exists.
If you expect http->https redirection to be the only valid path to a https site, then a MITM attacker would obviously disable that redirection because it's still done on the unsecure channel. This is the whole reason extensions like https everywhere exists.