> Give it a shot. Send someone a link to the non-SSL sign in and it won’t flip them over to SSL. It will also accept your credentials via non-SSL POST. So fire up SSLStrip and head down to your local coffee shop.
If you are in a position to execute a MITM, it doesn't matter whether they flip people to HTTPS or not. If the site forced HTTPS you could still rewrite the redirect and proxy the HTTPS to HTTP (the secure connection being between your proxy server and Evernote's). Only strict transport security would solve this, if the browser supports it and the user has accessed evernote before.
Yeah, this is an entirely valid criticism. It was more of a nitpicky point that they weren't flipping to HTTPS automatically, but from a practical standpoint it's no more secure if they did since they lack HSTS.
If you are in a position to execute a MITM, it doesn't matter whether they flip people to HTTPS or not. If the site forced HTTPS you could still rewrite the redirect and proxy the HTTPS to HTTP (the secure connection being between your proxy server and Evernote's). Only strict transport security would solve this, if the browser supports it and the user has accessed evernote before.