You can't redirect https traffic to http, without having valid certificate. But of course with all these CA problems, it could be possible to arrange one. It's then another story, if users use http -> https recirection in first place. Due to leaving the https prefix out from the url when connecting the site very first time. That's immediate security fail, but it's up to users to get this straight. HSTS won't help because due to privacy mode, all data between browser sessions will be purged, including HSTS data. Any failure to purge any data between sessions, could break privacy, because then it's known that you have already visited that site. But these questions are quite complex. Which is best configuration for each situation needs to be very carefully considered. I personally like DANE, if I would be running any serious service, I would configure it. Some of my friends have already done that.