How is this possible?
1. Alice enters "paypal.com" into her browser.
2. Alice's browser issues a request to http://paypal.com/
3. Mallory intercepts this request, and replays it.
4. http://paypal.com redirects to https://www.paypal.com/
5. Mallory's proxy fetches the Paypal content and returns it to Alice
6. Alice sees "http://www.paypal.com/... in her URL bar without the green lock, but doesn't notice.
7. Alice enters her password.
8. Mallory steals all her money.
I also do check that the lock is on, or for a site like a bank or paypal, that the address bar is green.