you want to use https. Note that even if you do, you will still see the unencrypted values in the browser, because when firebug grabs the data (either way) it has not been encrypted/decrypted yet.
I really think biting the bullet and setting up https is the way to go. It is well-vetted technology. If you want to roll your own, its not going to be secure, and you are going to have to do a lot of work on both the client and server.
