This isn’t end-to-end encryption. It’s dangerous to ask people to enter their SSH credentials into a page that’s served over HTTP.
If it were served over HTTPS, it might provide “end-to-end” encryption, but it still wouldn’t be MITM-proof (see this and this for an explanation of why that is).
Edit: What could make this better would be to position it as software that people are supposed to install on their own servers and serve over HTTPS. Then at least the MITM issue would be reduced to X.509 (inferior to SSH alone, which does TOFU). But… then people would wonder why on earth they’re using this in the first place instead of just using an SSH client. :P
The http site now directs to https. I’d be interested in further input on the possible security implications.
In it’s present form it’s a technical demo (as the faq suggests). But I think it’s an interesting alternative to something like shellinabox.