Because of lacking SNI support? You can try an Ajax request or loading a picture over SSL and then redirect with JS if it doesn't fail. If the SSL site serves HSTS headers, all SNI supporting browsers will in the future default to HTTPS independently of the kludgey redirect (because all browsers that support HSTS also support SNI).
Sure. An unconditional redirect would be better, but that requires a dedicated IP
> You can try an Ajax request or loading a picture over SSL and then redirect with JS if it doesn't fail.
Neat idea, but wouldn't this still be exposed to ISP-level attacks? Since the user is still loading the page initially in plain HTTP, so the ISP could still inject code, remove the JS redirect, etc.
Yes, no redirect can protect the user from that. In fact, not even completely disabling HTTP can - the ISP can respond on port 80 anyway. But it can protect them if they open it on a safe connection and then bookmark the page, or keep the tab open, or send the link to someone else, and then use that link on an unsafe connection.
What is the point of the redirects? If the user wants to use the https version he would directly go to that (either manually or by using something like httpseverywhere). Why force to user to use a specific one?
Because most people have no idea what HTTPS is, let alone that you can manually switch between the two. Nor do they know what a browser addon is, let alone knowing that specific one exists.
