[falcolas]

All the MITM has to do is relay the traffic to the correct secure location, passing the credentials passed via the compromised HTTP connection, and the user's entire account is compromised.

Remember: HTTPS does not ensure the identity of the client.

[steakejjs]

Relay what credentials from the HTTP connection ? There are none...

It sounds like you are talking about creating a phishing page and injecting it, hoping the user enters their credentials, and stealing them. I already said this was possible.

[falcolas]

User browses Amazon normally, MITM proxy simply alters response links containing "https" back to http, keeping track of what links were downgraded so it can start relaying between http and https when one of those links is hit.

User requests login page over http

HTTP request is intercepted, and relayed over https to amazon

https response from Amazon is modified to show http links, and presented back to the user

User fills in credentials and submits request over http

Request is intercepted, and relayed over https back to Amazon

MITM now has all credentials.

Doesn't require any special tools, or a phishing page, just a spot between Amazon and the user, and the ability to re-write responses from https back to http.

HTTPS with a HSTS setting would mitigate this, since the browser would refuse to request the HTTP page if the user had ever successfully visited https://www.amazon.com before.