Then if the user puts the https, and you show an invalid certificate before redirecting to the http version, you're still doing it wrong 2/2