I recently posted a bug on mozdev about TrustBar. TrustBar is an anti-phishing toolbar that tells you when the current loaded https:// page is using a valid certificate; who verified it; and who it was verified as. This means that when you log into something like eBay or ThinkGeek, you're told that you are indeed logging into them.
What TrustBar will not do is check who a regular http:// page belongs to; validate the action target of a form; or look for cross-domain action. Because of this, sites like PayPal, Amazon, Regions Bank, or Bank of America can raise false alarms of Unprotected log-ins in TrustBar, while indeed submitting to a secure https:// CGI action.
The most vigilant users don't need TrustBar for these sites. They can tell they're being owned by simple factors such as deformed URIs that redirect through Google or by Firefox suddenly not filling in their username and password. As for the others, they'll develop a comfort zone with these sites, accepting that they're secure even though TrustBar false-alarms. During a real attack, they will ignore the alarms, as they're normal.
I have re-explained the danger situations, and how to correct for them with appropriate countermeasures. I also reopened the bug as an enhancement. I urge my readers (if I even have any) to actually read the long post top to bottom, and then post commentary urging the author to consider implementing these countermeasures. These phresh phish need to be skinned alive and I believe it can be done.