The form action for registration is not https. Also, they have nothing to prevent a MITM from changing where the form action goes.

Why would anyone use this...

I see this:

						<form method="post" action="https://deadmansswitch.org/userhome.html">
							Email:<br />
							<input type="text" name="email" /><br />
							Password:<br />
							<input type="password" name="password" /><br />
							<input type="submit" name="login" value="Log in" /><br />
							<a href="/createaccount.html" title="Create an account">Create an account</a>
						</form>

Also, what does/can anyone do to prevent a MITM attack? Even if thy sent a HSTS header or a redirect, they're still subject to that.

That is the login form. I'm not sure how to paste code onto hacker news so here is a pastebin of the registration form.

http://pastebin.com/Ctkw6S2h

Well a better practice would be all HTTPS for the site. There are a lot of problems with this and I will probably write a blog post about it.

Everything about this site misses every best practice. 1. No CSRF tokens 2. Small secret tokens to trigger the switch. 3. passwords over http...

It's a joke.

/me is unable to read :( sorry abotu that

Yeah, it is. Especially since their cert is over a year dead.

The cert is expired anyway.

I didn't even check. It expired in Jan 2013....wow I'm betting the project isn't maintained anymore?

The whois record mentions a contact at http://www.digital-z.net/ which returns

  <html>
  <head>
  <title>One...</title>
  </head>
  <body>
  <center>
  May you live in not too interesting dreams.<br>
  Thank you and good night.<br>
  </center>
  </body>
  </html>

... which would indicate they're gone. And the deadmansswitch.org has a footer that points to http://binarymonkey.com which has a 2008 copyright date. In one year the app's domain will expire which could be unfortunate if anyone expected an actual dead man's switch.

The bottom of the site says copyright 2014.

That could just be using a date() -type function.