Should login pages be protected by SSL?

[Amir Herzberg <herzbea () macs biu ac il>]

Here is a simple question: should web login forms be always protected by 
SSL?

As a crypto/security expert, my answer is yes. I think this is 
necessary, to protect against MITM attacks, as well as from the more 
common and easy phishing, pharming, and other forms of spoofing attacks, 
even usage of a near-typo URL (I just happened to go to citybank.com 
when my goal was citibank.com, and it took me a while to realize...).

But, apparently, not everybody agrees. In fact, some login forms, of 
very established corporations, are not protected by SSL (or TLS). 
Whenever I come across such as site, I contact the corporation and ask 
them to `fix` the page. Few do; most ignore (or reply with typical 
corporate meaningless reply); but few actually argue, and seriously, 
that their practice is sound.

Now, I didn't hear any argument which I found convincing, of course. In 
particular, I can't accept that `this is not a major threat`. But I 
thought maybe this forum can provide more light on this matter. 
Comments? Opinions?

BTW, I keep a `hall of shame` web page listing these sites that ignore 
my warning or actually told me they don't consider this a security 
problem. I also keep Q&A on phishing/spoofing, and some other related 
resources (in particular I lead the development of TrustBar, an browser 
extension to help identify sites securely). See all this in my site.
--
Best regards,

Amir Herzberg

Associate Professor
Department of Computer Science
Bar Ilan University
http://AmirHerzberg.com