In short should be the login page (where you enter your user and password) under SSL before submitting the page or it's ok that the login page to be on regular HTTP but when you submit to go to HTTPS (SSL)? Which way assures you a encrypted communication? Like Apple has it here: http://store.apple.com/1-800-MY-APP...wo/FA2gvyiEV2GH3qAiTm12wpnPFBQ/2.0.26.9.5.7.1 Or Hotmail has it here: http://login.live.com/login.srf?wa=...ly=http://mail.live.com/default.aspx&id=64855 Or like Target has it here: http://www.target.com/gp/flex/sign-...ut&page=/gp/homepage.html/602-0604016-7503003
Well, I found this info. These articles are saying the opposite...that the Login page and the action page should be both under SSL (mostly because of the phishing problem): - http://blogs.msdn.com/ie/archive/2005/04/20/410240.aspx - http://my.opera.com/yngve/blog/show.dml/281609 - http://blogs.zdnet.com/Ou/?p=226 - http://blogs.zdnet.com/Ou/?p=201 If we think a bit they are right: how do I know that the login page is the one I want to be and it wasn't phished? But if it's under SSL then I will know to whom that page belongs.