"Placing secure login boxes on insecure pages, i.e. pages that aren't protected by secure sockets layer. That allows passwords to be intercepted through man-in-the-middle attacks."

Pages are never "protected" by ssl. The transfer is what ssl "protects".

If they can do a man in the middle attack, then you could be entering your password onto a secure page in the baddies website. No-one really checks the certificate, as long as the url bar changes colour or a padlock appears.

If you are using a post to submit the data, post it to https://

That transaction is encrypted. The page that's already on your computer doesn't have to be, and didn't need to be on the server. You already accepted / trusted it when you filled in the form.

It makes sense to keep using ssl while inside the "secure" section, because of sensitive data, but to require it for a blank login form is not useful. Think about it, what are you trying to hide ? Public data or private data ? The form is already public anyway, so why hide it.

Have a look at this for the order of things http://www.securityfocus.com/infocus/1818

figure 2 explains things nicely.

You are free to use ssl how you wish however, even if using it unnecessarily achieves nothing but a warm glow in your investors pockets.

The only other way to go is to use ssl for the whole internet. Otherwise the man could get in the middle anywhere ! He probably has keylogging trojans out there anyway, so ssl could be moot.