Injecting JS into the page with the form isn't my main concern, even -- it's changing the form POST action to their own server rather than the one I think I'm logging into. That's much harder to detect and block without encryption.

Plaintext HTTP is scary stuff these days.