What Ullrich has ‘discovered’ is that banks provide the form to their users over a plain-text link – while taking the input from the form using an SSL link.
This means that your password is not exposed to the Internet in clear-text, if you enter it into your bank’s form.
However, it means that you have nothing to prove that you are really connected to your bank’s form, other than a vague feeling that you typed in the right address, so anything that comes back must be from your bank.
With DNS hacks, and viruses that replace or edit your host file, that’s not a guarantee of anything very much, sadly – so these days, you should want your bank to identify themselves via a certificate – and that can only be done through an SSL link.
How do you know if the form on your screen has been delivered by SSL? That’s what the ‘padlock’ icon shows:
The only problem… you also want your password to be sent back using SSL, and currently, there’s no browser that I am aware of that will tell you that this is the case, or prevent your form details from traveling back unprotected.
[It’s actually a computationally “hard” problem – possibly even computationally “impossible”, so let’s not be too down on the browser vendors.]