Marlinspike noticed that many supposedly secure sites (including banking websites!) at the time presented content over insecure HTTP connections, upgrading to HTTPS only when the user logged in and provided the credentials.
