1password does not enforce HTTPS on all subdomains
If a user is ever tricked into clicking a link to "http://1password.com" on Safari, or if they forget the "s" after "http" when manually typing the URL into their browser, 1password will not redirect them to HTTPS (see screenshot below). This means someone can perform an MITM attack to push a malicious app onto a user's device when they navigate to the official 1password.com website to download their app. From a defense-in-depth perspective, there is no downside in redirecting users to HTTPS across all domains. It is also worth mentioning that virtually every website I have ever visited redirects HTTP to HTTPS, from banks (chase) to forums (reddit) to hotels (hilton) to my local pizzeria (vicspizzerianc). In fact, even if my network physically blocks TCP port 443 and redirects my DNS to perform a MITM attack, the Safari browser itself will refuse to establish an HTTP connection if any of these domains are in the address bar. From an optics perspective, it does not look good for 1password that they do not do this too.
EDIT: I am using macOS 25.6.1 and Safari version 26.5 (21624.2.5.11.4).
