has no one heard of using direct debit???.. then their is no need to use their site to pay your bill

cant get safer than that....

Ah yes, the wonders of Direct debit, giving permission for them to take any amount of money they see fit to take, when they see fit to take it...

I'm sure I'm not the only one who has been sent quite deep into the red, due to a "billing error".

DD is fine, but doesn't always cover your usage, leaving an outstanding amount.

Or you could get a card meter fitted, and pay for your gas in the local newsagent's shop or petrol station using actual coins. That way, there's no risk of a payment going through on the wrong date, overdrawing your account and exposing you to outrageous bank charges.

This is such a schoolboy error, especially when it's so easy to fix. Every page I code that takes credit card details or something equally private, I insert a simple check for HTTP, in which case it redirects to the same address over HTTPS. Then, even if I'm a muppet enough to link to it over the insecure address from somewhere else, it's still caught.

Mind you, short of the browser screaming at the user and bludgeoning them with a e-sledgehammer, it's very hard to get people to check for the secure link. Maybe browsers should start panicking and warn the user if they start filling out a form with credit-card-like details over an insecure connection.

Ian's method is the best way -- always make your page checks for HTTPS on its own; never trust that the user got to the page via HTTPS. Check for HTTPS, and if it's not secure, redirect to HTTPS. Simple, easy, secure.

However, while Ian's suggestion of having browsers scream at the users if they start to enter information into a non-HTTPS form, I don't think that would do any good. I can't even count the number of times I have been at a client's and I saw them click OK on an error screen; when I ask them what it said, it's always the same answer -- "I don't know". Users are in the habit of clicking "OK" (which explains why so many are infected by spyware), that they don't even bother reading the error screens anymore.

Even IE warns me if I'm leaving a secured site for an insecure one. So unless I a) disable the warning or b) blindly click on OK, I don't go there unless I know it. Of course, as Chris points out, you can't protect the idiots.

if you LIKE paying well over the odds. Much the same as the way calls cost more from a pre-pay mobile phone, and so on and so forth.