http://msmvps.com/blogs/alunj/archive/2006/04/24/92363.aspxI just knew this message was going to get badly diluted as it progressed. What Ullrich has 'discovered' is that banks provide the form to their users over a plain-text link - while taking the input from the form using an SSL link. This means that yourenCommunityServer 2008.5 SP2 (Build: 40407.4157)http://msmvps.com/blogs/alunj/archive/2006/04/24/92363.aspx#107961Thu, 17 Aug 2006 17:12:50 GMTd67277c4-116b-43f1-b688-e9ef184ea916:107961ClipperzThere are several banks that use non-SSL login pages. This does not mean they are sending your credentials in the clear, but the user has no way to tell if the login form is legit or spoofed.<br><br>Alun Jones moves from the findings of Johannes Ullrich, chief<img src="http://msmvps.com/aggbug.aspx?PostID=107961" width="1" height="1">http://msmvps.com/blogs/alunj/archive/2006/04/24/92363.aspx#93838Sun, 07 May 2006 18:40:27 GMTd67277c4-116b-43f1-b688-e9ef184ea916:93838JasonThere is a solution which works for me most of the time. Always fill in your password incorrectly the first time (blank is normally fine, but sometimes javascript forces you to put something). Afterwards, the failed login / try again page is normally secure. <div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=93838" width="1" height="1">http://msmvps.com/blogs/alunj/archive/2006/04/24/92363.aspx#93037Sun, 30 Apr 2006 16:09:27 GMTd67277c4-116b-43f1-b688-e9ef184ea916:93037ClipperZThere are several banks that use non-SSL login pages. This does not mean they are sending your credentials in the clear, but the user has no way to tell if the login form is legit or spoofed.<br><br>Alun Jones moves from the findings of Johannes Ullrich, chief <div style="clear:both;"></div><img src="http://msmvps.com/aggbug.aspx?PostID=93037" width="1" height="1">