This is yet another comment that reminds me of what in my mind is a related problem. I encounter more and more sites, including major ones, that include insecurely delivered (http://) assets into their secured pages (https://). My understanding is that this is another vector to get at e.g. forms and cookies, or basically anything on the page; by intercepting the insecure asset, you can inject yourself into the secure parent page.

I always wonder "what's up with that"? Is it that the particular assets don't lend themselves to injection, or an assumption that items delivered from a server under their control can't or won't be intercepted? If the latter, particularly once the traffic hits an unsecured wireless segment, I'd be inclined to say all bets are off.

EDIT: Nit: HN linkified the bare protocol designations.