The appropriate way for users to defend themselves is to simply install https-everywhere and check "Block all unencrypted requests". This avoids sslstrip, requires no redirect magic and no HSTS.

Although somebody should really patch it to just display big fat warnings because it is somewhat annoying to turn it on and off all the time.