I'm reading over this page and it says that if a site is SSL and the user tries to access it via regular HTTP, the application should not redirect the user to HTTPS. It should just block him. Can someone verify the validity of this? It doesn't sound like a good idea, and I wonder what the real risk is of just forwarding the user to https. It seems that there is no technical reasons behind it, just that it's a good way to educate the user.
Disable HTTP access to the domain,don’t even redirect or link it to SSL.Just inform the users this website isnot accessible over HTTP and they haveto access it over SSL.
This is the best practice against MITMand phising attacks. This way yourusers will be educated thatapplication never accessible over HTTPand when they come across to a phisingor MITM attack they will knowsomething is wrong.
One of the best ways to protect yourapplication against MITM attacks andphising attacks is educating yourusers.