One possibility for a gradual approach: sites which have both HTTP and HTTPS servers, are marked insecure when user browses to the HTTP version. The knowledge about the presence of both HTTP and HTTPS can be hard-coded for popular websites* and/or inferred from history in the client.
* I mean popular websites that don't send HSTS header, such as reddit.com. Those that send the HSTS header would anyway be subjected to automatic redirection.
PS. We are considering this option in the gngr browser (https://gngr.info). We are also considering going further and not loading the HTTP page automatically. The user would need to press "OK" to proceed.
* I mean popular websites that don't send HSTS header, such as reddit.com. Those that send the HSTS header would anyway be subjected to automatic redirection.
PS. We are considering this option in the gngr browser (https://gngr.info). We are also considering going further and not loading the HTTP page automatically. The user would need to press "OK" to proceed.