Cause in that case a man in the middle can just insert links to other domains (say, http://examp1e.com/myotherpage when I was serving a link to http://example.com/myotherpage) and still have the attack work. Like the GP said, only starting at an HTTPS page would solve this.
But you're the expert and I'm not, so what am I missing? :-)
as long as mint.com has HSTS and either the user has been there once before or it was hard coded into the browser as an HSTS domain then the browser will never visit http://mint.com, it will immediately go to https://mint.com
EDIT: and well it doesn't seem that mint.com even has HSTS enabled... so bad example :P
I don't understand that. If I serve http://example.com/mypage which has a link to http://mint.com/justin, you won't convert that to https://mint.com/justing, right? Even if example.com has HSTS enabled? Cause that would assume that mint.com has https, or else the whole thing breaks.
Cause in that case a man in the middle can just insert links to other domains (say, http://examp1e.com/myotherpage when I was serving a link to http://example.com/myotherpage) and still have the attack work. Like the GP said, only starting at an HTTPS page would solve this.
But you're the expert and I'm not, so what am I missing? :-)