> What's worse, many plaintext HTTP connections today are entirely invisible to users, as HTTP sites may immediately redirect to HTTPS sites. That gives users no opportunity to see Chrome's "Not Secure" URL bar warnings after the risk has occurred, and no opportunity to keep themselves safe in the first place.
What is the risk exactly? A man-in-the-middle redirect to a malicious https site?
Yes, that. Could be to a lookalike domain name, for example.
HTTPS sadly offers no protection from that at all these days. At least in the past when something was HTTPS you knew that someone had to jump through some hoops and pay some real money to earn that padlock, but now any script kiddie can automate certificates for free for as many lookalike domains they want to.
It would be nice to see some way for browsers to indicate when a site has some extra validation so you could immediately see that your bank has a real certificate as is appropriate for a bank and not just Let's Encrypt. Yes, I can click the padlock icon to get that information, but it would be nice if there was some light warning for free certificates to make it more immediately obvious.
A MITM could replace the redirect with malicious content, as described in the blog.