> You realize that anything the real BofA site adds to increase security can be removed by the proxy?

This is true for targeted attacks only. A second JS layer doing crypto can at least prevent firesheep-class untargeted mass snooping of auth data.