I have a web app which works via https. A prospective user can visit the app via a non-secure URL (i.e. http://www.mywebsite.com) but when they do so, I have arranged the app to present a “Non-Secure” page, and then offer a button to redirect to the secure entry.
I do not know if this button is a good idea. Is it the kind of thing that can be hijacked by a MITM ?
It’s perfectly acceptable. Even more desirable is just to detect they are in the non SSL version and then redirect to the SSL version automatically.
Someone could in theory hack your server, change the button to go to a different secure site, and pretend its yours. Their SSL certificate wouldn’t match yours but who checks SSL certificates? That’s why they invented EV certificates so the green bar tells you who it is.