Many security-critical web applications, such as online banking and e-commerce, require a secure communication path between the user and a remote server. Securing this end-to-end path is challenging and can be broken down into several segments. The network part between the user's machine and the server is usually well protected, using secure communication protocols, such as the Transport Layer Security (TLS) protocol. However, the user's sensitive inputs (such as password and credit card number) are handled by the operating system (OS) and the web applications before being encrypted and passed on to the network; also some sensitive information from the server (such as private account balance and transaction confirmation) is handled by OS/applications before being displayed to the user. This user interface part of the communication path, which includes the OS and web applications, is often untrusted because of possible malware (virus, rootkits, spyware, etc.) and vulnerabilities within the client. In this paper, a secure user interface running under an untrusted OS is proposed, which is independent of the OS/applications and has a very small code base size. This secure user interface attests itself to the remote server and then handles the sensitive input and output by itself, bypassing the OS kernel and web applications. It utilizes network software stacks in the OS, however, the sensitive information is cryptographically protected before being revealed to the potentially malicious OS. This ensures the confidentiality and integrity of the sensitive information. Using this secure user interface, even while running under untrusted OS/applications, the user's sensitive input, private output, and transaction integrity can be protected.