HSTS
Why on earth is an online wallet site not using HSTS??
HSTS was designed to prevent this attack. If enabled, it stops you clicking through the security warning. You just get a certificate error page, you don't get an option to click through. Because we have trained users to click through the error messages.
HSTS also prevents you from accidentally visiting the http: version of the site, your web browser will silently redirect you to the https: version.
HSTS is a flag that the website enables. Once enabled, browsers remember it (and it can't be unset), so you're protected for subsequent visits to the site. A website owner can also ask for their site to be added to the HSTS preload list, which is built into the browser, to provide protection to people visiting the site for the first time.
Biting the hand that feeds IT
