| You absolutely should have SSL be required when having a login form. Like 'ctb_mg' said, it's hard to believe we are having this discussion. It's scary where plaintext goes and how easy it is to intercept. The tough thing is that not too many years ago it was perfectly normal to not use https for logins into anything except ecommerce, online banking, and serious corporate and government stuff. Even Gmail didn't default to https until a few years ago - long after they were huge! We also have to remember that SSL certificates suffered a lot on shared hosting due to dedicated IP requirements (until SNI) and just plain being difficult and confusing to setup. That's a huge barrier for Average Joe that wants to setup a forum about race cars or Average Jane who just wants to manage her own website via CMS. So now we have tonnes of legacy systems and people who simply haven't gotten the memo yet. All of which is to say that yes your host should use SSL, but it's going to be a long time before you see this practiced by the majority of websites. I'd say your host might be the norm instead of the exception. Unfortunately their attitude might be indicative about how they think about the rest of their server security though, in which case you may as well move to a host that takes things more seriously. After years of working with dedicated server companies I found that little things like this did tend to lead to patterns of bad security, bad backup systems, bad monitoring, etc. |