They tackle a very common misconception: Many people think it's enough to transfer the password encrypted, because they think https is only about secrecy. But it's crucial to also submit the form via https, otherwise attackers can mess with the form itself.
A lot of webpages will be surprised by this, there are still quite a few who have insecure login forms.
But you also need to serve the page that links to the form via https, otherwise it's vulnerable to the same attack (just one step longer). Which probably means you need to serve everything over https. And even then you need HSTS in order to avoid MITM agents downgrading https back to http. And even then you want to register your site so that at least some of the major browsers preload your HSTS info (https://www.chromium.org/hsts). And as a user you just install HTTPS Everywhere, cross your fingers, and hope for the best.
> But you also need to serve the page that links to the form via https
Yes, in the limit. But current best-practices for user caution ("when you're entering personal information, check the address bar for the domain name you're expecting [and a lock icon]") would be enough to thwart that attack.
They tackle a very common misconception: Many people think it's enough to transfer the password encrypted, because they think https is only about secrecy. But it's crucial to also submit the form via https, otherwise attackers can mess with the form itself.
A lot of webpages will be surprised by this, there are still quite a few who have insecure login forms.