Re: Should login pages be protected by SSL?

[Torsten Mueller <torsten () archesoft de>]

Hello,

possibly i didn't get the whole discussion, but i did read your
mail.

Amir Herzberg schrieb:
> Yes, but Amazon does not use SSL to protect the page in your login to 
> the (critical!) one-click mechanism, see at their site 
> http://www.amazon.com/exec/obidos/flex-sign-in/ref=gw_bt_oc/002-2834753-6756032?opt=a&page=ordering/one-click-address-sign-in-secure.html&response=one-click-main&method=GET&return-url=one-click-main 

At least you send the datas to a SSL server, as the form action is:
<form 
action=https://www.amazon.com/exec/obidos/flex-sign-in-done/102-3033151-0316943 
method=POST>

Even if the login form itself is not protected, the datas you enter
and submit are protected.
If you want to complain, that the login form itself isn't on a
SSL protected server, o.k. you are right. But even, if it would be
on a SSL protected server the form action could lead to an
non SSL capable webserver.

So the important part is not, from where the login form comes, but
where the datas are sent.
(IMO this should be checked by the client/browser.)

But only my 2 cents.

Torsten