Say you punch in https...the destination doesn't get encrypted, just the data sent there. When the software sees "https://" come across the line, nothing is stopping it from redirecting you back to "http://". In a classic arp poisoning scheme punching in any url can result in the attacker doing whatever they want. Their machine can respond to the victim any which way it wants.
Your joking right? When the user enters https:// the browser create an encrypted connection to the remote server on (by default) the https port. The MiTM only sees encrypted traffic, it does NOT see 'https://' come across the line... All it sees in that scenario is the IP and port that the broswer attempts to connect to.
Sheesh, do you know anything about this?