> Now about SSL/TLS, we programmers are often forced to do this because there are many users who, when faced with the absence of the padlock on the page, don't even bother to continue for fear of having their data stolen.
I got to experience this last week: some family member uses the gmail app to consult hotmail emails. Suddenly the app started asking to reenter login information: the message looked like a fishing mail. When you clicked on it it popped what looked like the outlook openID login page but without any address bar shown. Is it the app? Some webpage? Looks like fishing.
Perfect job from the UI team: either you don't update your credential because it really looks like a fishing attempt or you get trained to use those credentials in random apps / website.