https

https [+ favourites]

I have noticed that some websites place the actuall login page on a normal http web page (http://www.something.com/login.htm), and when you log in, the next page is an https page. Other sites, however, place the login page on an https page as well. My question is this: Is it necessary to have the initial login page secure as well? How does this work?

"Live a good, honorable life. Then when you get older and think back, you'll enjoy it a second time"

HTTPS encrypts all the data that is sent and received from the client to the server. Because of this, both the server and the client's computer must do a lot more processing with every page request.

In regards to a login page, if the sensitive data that the website wishes to protect is within the system once the user is logged in, then they have the choice of not securing the login page.

However, this is somewhat pointless because if the login page is not secured then the password of the user is not protected which makes whatever is inside the secure area unprotected as well.

It is definitely a breach of security to pass your password over a non-secured connection if the data within the secure area needs to be secured.

Banks, for example, will make all login areas secured.

* There is the possibility that some new browser technoilogy exists where by the password and user name are somehow secured even in a non-https environment but as far as I know this does not exist.

"Hating everyone protects me from elitism."