http://blogs.msdn.com/francip/archive/2004/08/05/209204.aspxThe new FirstTech Credit Union page puts the logon dialog on an unsecured page. Their explanation [1]: Why This Is Secure Using the Online Banking Login on the 1sttech.com pages is safe, even though you do not see the lock in your browser as your Accounten-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/francip/archive/2004/08/05/209204.aspx#209350Thu, 05 Aug 2004 23:14:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:209350.My credit union has the same thing on their site. (www.octfcu.org) They have the same disclaimer button, and similar language in their explanation. I wonder if it was done by the same company... I agree, very bad practice. <br>http://blogs.msdn.com/francip/archive/2004/08/05/209204.aspx#209369Thu, 05 Aug 2004 23:35:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:209369Jerry PiskTechnically they're right. When your input page loads over SSL it doesn't mean jack. What's important is how it's submitted and I'm sure most people would not even know that their credentials are sent clear text if the submit would go over HTTP, without SSL, because everybody I know has those switch notifications off. So they would think they're sending their data over secure connection even when they would not, because the input page had a lock.http://blogs.msdn.com/francip/archive/2004/08/05/209204.aspx#209375Thu, 05 Aug 2004 23:45:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:209375Franci PenovThat is correct. It's possible to have https page that submits the user data in clear text. As it is possible to submit encrypted data from unsecured page. <br> <br>But that's hardly the point. The point is that it's a bad idea to train your customers to rely on what the content of the page says about the underlying connection security. The same content (i.e. lock icon) can mean totally different thing on another page. <br> <br>People are very gullible. They should be trained to be more suspicious, not less.http://blogs.msdn.com/francip/archive/2004/08/05/209204.aspx#209379Thu, 05 Aug 2004 23:51:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:209379drebinI work for a brokerage firm - when we wrote our online service (around 1999-2000) - we did this too. It ended up being a HUGE point of contention between IT and Marketing.. <br> <br>The marketing people said &quot;We want a login/password right from the dub-dub-dub site! Period.&quot; and we said, &quot;Well, you can't.. not really. Either [use the technique above] which is bad practice.. or make the main www site be https - which makes the whole site much slower&quot;.. No matter how you slice it, if you want a login box from the main www site, it's going to be not pretty. <br> <br>We explained that this technique (above) was not very good - but the marketeers won after all. We have MANY screaming arguments in the board room. They pretty much pulled rank and we HAD to do it. <br> <br>In the end, it didn't matter because we outsourced the back-end of our business and the product we took 1.5 years to build was only used for about 8 months before it was replaced! :-) <br> <br>Point is, you Microsoft folks need to get out more.. there is a WHOLE LOT MORE to programming than this very academic viewpoint you guys have. No offense. :-) but corporate politics and deadlines often make us do LOTS of things we wouldn't normally do sitting in a classroom. <br>http://blogs.msdn.com/francip/archive/2004/08/05/209204.aspx#209554Fri, 06 Aug 2004 03:30:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:209554Doug LawtyBut what would be a better practice? <br> <br>I agree that the content of the page can easily mislead a user and we shouldn't be encouraging them to trust that. <br> <br>However, teaching them to look for the lock present on the login form can be just as misleading. <br> <br>Since the browser doesn't indicate whether or not the post will happen over an SSL connection, there's nothing on the login form that can be trusted for guidance. <br> <br>Should we teach users to view the source and look at the action of the &lt;form&gt; tag?http://blogs.msdn.com/francip/archive/2004/08/05/209204.aspx#209617Fri, 06 Aug 2004 08:05:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:209617Lockergnome's Web DevelopersFirstTech Credit Union may understand the importance of banking security, however they seem to be struggling with the obvious implementation of such. First they put the login area on unsecured page, then they come up with some crazy explanation as...http://blogs.msdn.com/francip/archive/2004/08/05/209204.aspx#209939Fri, 06 Aug 2004 16:20:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:209939gfoxI wanted to log into a website that holds information about my truck loan. The login is an insecure page. They required my Social Insurance Number (much like the SSN in the USA) as an identifier. In Canada it is illegal to identify people by their SIN, unless they expressly permit it. <br> <br>So, the INsecure website is asking for a very important number that can be very damaging ifit got into the wrong hands, and they are doign it illegally. The best part is when you submit the form (I managed to find a secure version buried in the bowels of their site), a javascript popup displays basically stating that by submitting your SIN you agree to allow them to use your SIN to identify you. What kind of backass way of doing things is this?