> If they can do a man in the middle attack, then you could be entering your password onto a secure page in the baddies website. No-one really checks the certificate, as long as the url bar changes colour or a padlock appears.
Most browsers will pop up a scary warning. Sure, totally clueless people will click through, but anyone with clue is protected. So in order to be undetectable, a MitM attack needs to leave SSL (HTTPS) traffic alone and just play with the HTTP traffic.
> The [login] page [...] doesn't have to be [encrypted].
Wrong. Let me explain...
> You already accepted / trusted it when you filled in the form.
(I'm use the standard security-person meaning of "trusted" and "trustworthy". If I ask you to hold my wallet for a moment, you're "trusted". If you then run away with it, you were still "trusted" but you weren't "trustworthy").
_But,_ how did you know the form was trustworthy? Did you audit the source code of the page and every included script & css file, every single time you login? No, you didn't, because most browsers "view source" doesn't show included files (and if you're requesting them a second time to audit them then you've no way to know if the server gave you the same file). And even if you could theoretically, it's not practical for everyone to do a code audit on their bank every time they log in.
So the only practical way to know that the logon page is trustworthy is if it's sent from your bank's webserver over SSL.
> It makes sense to keep using ssl while inside the "secure" section, because of sensitive data, but to require it for a blank login form is not useful. Think about it, what are you trying to hide ? Public data or private data ? The form is already public anyway, so why hide it.
There are 2 advantages to SSL. You're concentrating on the encryption, which I agree is not needed for a blank login form. But SSL also provides authentication. And you need the authentication that the blank login form really came from your bank.
> The only other way to go is to use ssl for the whole internet. Otherwise the man could get in the middle anywhere !
Online banking is a high-value target with a track record of being attacked. It makes sense to provide more protection to it than to (say) The Register.
> He probably has keylogging trojans out there anyway, so ssl could be moot.
It's only moot for people who get infected with a trojan. For the rest of us, SSL provides useful security.