But seriously, you're just as screwed if they inject HTML that changes the form submit URL for your password to an attacker-controlled site. The real answer to this problem is HTTPS, everywhere.
My point is, that this should be a concern for the developer of an application and not being pushed onto the "dumb user".
I'm sure that there are better answers than three letter acronyms.
It's unreasonable to assume that majority of users surf through a VPN because no one bothers, not because of any technical difficulties. But it's also unreasonable that majority of users will surf with js disabled by default.
In general, there's very little a developer can do against a hostile network if their users are clueless. Even SSL is only useful as long as the network operator doesn't deSSLify the connection on the fly or the user catches that.
How is this possible?
1. Alice enters "paypal.com" into her browser.
2. Alice's browser issues a request to http://paypal.com/
3. Mallory intercepts this request, and replays it.
4. http://paypal.com redirects to https://www.paypal.com/
5. Mallory's proxy fetches the Paypal content and returns it to Alice
6. Alice sees "http://www.paypal.com/... in her URL bar without the green lock, but doesn't notice.
7. Alice enters her password.
8. Mallory steals all her money.
I also do check that the lock is on, or for a site like a bank or paypal, that the address bar is green.