Re [2], it doesn't matter if a form's action posts to an https link. Using an unencrypted HTML form to post to an encrypted post handler is a security anti-pattern. Attackers will simply intercept the form render instead of the post, alter the form, and insert themselves in the middle of the transaction. This attack is no harder than intercepting the POST itself.<p>Don't <i>ever</i> give your Google Mail password to another company. Even if they "encrypt" it on the wire, you can never be sure they're not storing it insecurely on the back end. Please take this from someone who spends his days beating up other people's applications: everyone screws up something.
Thomas: Wholeheartedly agree. Thus, [1].<p>I probably should have made this very clear: While the lack of encryption is maddening, the very worst part is that Tumblr isn't performing this data pull properly (and Google does provide a proper and relatively safe mechanism for doing what they're doing--it's used by Facebook, LinkedIn and anyone else with a need, API key and good conscience).
While I wasn't a huge fan of the tone here ("They really don’t give a shit, huh?"), it does seem like something that needs to be brought to everyone's attention.