I’ve been having a two year battle with a bank of mine in Spain trying to convince them to improve the security of their web authentication.  My beef was that the default logon form appears on a non-SSL page, and even though it’s gets posted to an SSL target, I thought the details were being passed in the clear.

When in doubt post your query at Sitepoint 🙂  I had a lot of informative answers but what did it for me was downloading a free windows packet-sniffer and checking out exactly what was going on.

I used something called etherdetect which you can also grab from tucows.  Aside from a few ‘trial version’ messages it really does a great job, and is recommending ‘playing’ for all web developers.

Anyways, it turned out I was wrong, more details of the discussion are over at this Sitepoint thread.