> I don't follow this. Surely if your traffic is being intercepted and redirected to HTTP you don't get the browser padlock?
Yes that's true - but most people are fooled if you simply replace the site's favicon.ico with a padlock image. Plus, browsers don't give any negative security feedback simply because you are accessing a site over HTTP.
The original presentation is worth reading: