[rogerdpack]

The only problem is if those subdomains have a password input field "somewhere" on their sites, AFAICT. Or are you referring to google's "later" plans to add a red exclamation point "insecure" flag to the url bar for all HTTP pages?

I'll admit when I first heard of them flagging HTTP password fields, my instinct was to write a little javascript to "mimic" password input field behavior (and store the real password away somewhere else, then at submit time, it sends in the correct data). But if it's just a tiny warning on the url bar, meh, not sure if I care...

Also note that https://letsencrypt.org appears to offer free CA certs.

[Buge]

Sephr was talking about wildcard certificates, which Let's Encrypt doesn't offer. But dynamically requested certificates can sometimes be used as a replacement for wildcard certificates.

[byuu]

I doubt most will even go that far. You can pretty much expect those that won't go HTTPS (for whatever reason, and there are many) to change their input type="password" fields to input type="text" fields.

That is probably what I am going to do for the internal site I maintain at work, since I can't get an SSL certificate for such a thing.

All this change is going to do is make password eavesdropping in person easier.

[niij]

If it's hosted in local IP space and therefore you can't get a certificate, you can setup a CA and push that CA certificate through Group Policy. I had to do it myself and it took 3-4 hours (mostly because I'm bad at Group Policy)

[byuu]

The problem is that I'm a developer on a team of six. And my site is used by another five or six teams. It's a little tools site that does various SQL queries and such against databases other teams don't have access to. They're not going to allow me to push my signing certificate onto everyone's computers. I'm very low on the org chart.

[niij]

Well I assume in a companywith that many teams they would have already came across a need to manage their own simple, internal CA. Maybe you can be the person to set it up, trust me it's scarier than it looks

[rogerdpack]

oh yeah text field, that's an interesting option and people might even use it as an easy work around [LOL]. I guess you could make the viewable size like 1 char then it won't be much worse than inputting it from a smart phone. Except for the large screen people can see from behind you LOL.

I guess people could do self signed certs that expire in "100 years" but you're right, even installing those can be super painful, and people may not go that far. Of course, initially what people will do is "nothing" and just let the insecure message appear, since it doesn't actually block any functionality seemingly...