- assume some example download link
- https://www.torproject.org/dist/torbrowser/6.5.2/tor-browser-linux64-6.5.2_en-US.tar.xz
- could be any
- forget that it's on torproject.org
- assume the user has only a single open tab
- assume the user knows he is pasting an https link into the url bar
- assume https everywhere is not effective for that website
- assume the website does not use HSTS
- assume the website does not use HSTS preloading
- assume the website does not use HTTP Public Key Pinning (HPKP)
In this situation there was a bug. The user has no way to know if the file is being downloaded over https over if sslstrip made the user download over plain http. It's because one cannot see a padlock. It's just empty. I have no bug report for reference handy.
Could you research please if this is still the case? And reference a bug report? @HulaHoop