First off, I'm not trying to tattle on my web host here. In a forum post, for my web hosting service, I made the following statement.<p>"I already feel exposed having to login to the forums without an https login page."<p>This was in a discussion about their lack of support for encrypted password transmission for their mail server.<p>The reply I got from my host was.<p>"I don't know of a forum anywhere that uses an https login.<p>As far as account compromises that we see (and we see a lot of them), they are almost exclusively due to compromised home or workplace computers, or insecure web sites, not intercepted Internet traffic.<p>I'm not saying it doesn't happen anymore, but it's exceptionally rare these days, primarily because it's infinitely easier to drop malware or viruses on tens or hundreds of thousands of people in one fell swoop than it is to intercept and analyze an individual users traffic looking for logins.<p>Security concerns are certainly always valid, and if you have reason to believe someone is targeting you, I can understand the desire for heightened security everywhere you enter a login. But the fact is most people would be better served ensuring security closer to home."<p>I can understand the claim that accounts are more likely to be compromised by user's not being careful with their own computers, but something about this reply is lowering my confidence. The reason is that many users will create forum accounts using the same credentials (as their host control panel login), which makes for an easy target IMO.<p>Is this (non-ssl login page) really as common practice as the reply claims? And if so, shouldn't that be changed, or am I just being too paranoid?<p>EDIT: Clarified statement.
Yes.<p>Beyond that, there's really no excuse for not using SSL everywhere now. If a site has user data, or requires any sort of login, it should use SSL everywhere.
You're correct about the forums, of course, but obviously the real problem is this:<p><i>their lack of support for encrypted password transmission for their mail server</i><p>Unacceptable. Get the heck out of there before you lose something vital.<p>That's the thing about being shipshape. Why do you focus on getting the little things right? Because the attitude you bring to the little things is the same one you bring to the big things. And because, especially in security or reliability, big problems are built out of minor problems that accumulate or escalate without warning.
You absolutely should have SSL be required when having a login form. Like 'ctb_mg' said, it's hard to believe we are having this discussion. It's scary where plaintext goes and how easy it is to intercept.<p>The tough thing is that not too many years ago it was perfectly normal to not use https for logins into anything except ecommerce, online banking, and serious corporate and government stuff. Even Gmail didn't default to https until a few years ago - long after they were huge!<p>We also have to remember that SSL certificates suffered a lot on shared hosting due to dedicated IP requirements (until SNI) and just plain being difficult and confusing to setup. That's a huge barrier for Average Joe that wants to setup a forum about race cars or Average Jane who just wants to manage her own website via CMS.<p>So now we have tonnes of legacy systems and people who simply haven't gotten the memo yet. All of which is to say that yes your host should use SSL, but it's going to be a long time before you see this practiced by the majority of websites. I'd say your host might be the norm instead of the exception.<p>Unfortunately their attitude might be indicative about how they think about the rest of their server security though, in which case you may as well move to a host that takes things more seriously.<p>After years of working with dedicated server companies I found that little things like this did tend to lead to patterns of bad security, bad backup systems, bad monitoring, etc.
Looks like more head-in-the-sand security from people who aren't detail oriented. Yes, your login pages need SSL.<p>Perceived rarity has nothing to do with it! A password is being transmitted in <i>plaintext</i>.<p>If forum passwords weren't a target then why are so many website databases a primary target lately? They steal the crappy, unsalted hashes and emails and go to town at other services where they are likely to use the same password.<p>I can't believe we are having this discussion!