Do browsers have a list with sites that are supposed to be encrypted?
Could a man in the middle attack be performed by presenting a user a http site instead of an https site? That way the server would not need to provide a certificate.
It wouldn’t show up as a secure site in the browser but I think most people wouldn’t notice it. And it wouldn’t warn the user, because there are legitemate sites who don’t use https.
Would such an attack be possible or does the browser notice that the site is supposed to use https but doesn’t?