[paulgb]

Keep in mind that a third party who has compromised the server could change the JavaScript to report password entries back to it.

[pdx]

You are concerned with a compromised server? If I control your server, I can harvest whatever a user types in, even on an HTTPS page.

[jodoherty]

With plain HTTP, it'd be very easy for someone running an open WiFi station or a corrupt ISP to set up a DNS server that points the domain to their own reverse proxy that then can modify the page that the user receives to include some additional JavaScript to forward the user's password or the decrypted page results after the user inputs their password.

This doesn't require compromising any servers, and a lot of laptops will configure their DNS settings based on what the local network's DHCP server sends them.

To the end user, it will appear as though nothing is wrong.

[paulgb]

That's true, but I was responding to a specific claim in the parent post