Comment Re:Sign up? (Score 1) 349
Right.
That's a classic model for attacking with a MITM. MITM the http page (because you can). Get a cert for say irs.taxservices.com instead of irs.gov On the switch to https, redirect to the irs.taxservices.com. Continue to MITM, proxying to irs.gov while the user enters all their secrets.
This is why the home page should be https.