[chrislaco]

I just logged in and added something to my cart. The cart was in https. And clicking of the checkout, express, or credit card related buttons yields https pages.

I'm guessing something less sinister, like a missed https:// in a link somewhere.

[Sami_Lehtinen]

Maybe the should make user cookies HTTPS only, and use HSTS. Sites with "private" information shouldn't allow plain http access at all, afaik.

Anyway, isn't it just the classic way of doing it. "Big note on front page saying, that we're having trouble with out SSL cert and then saying that it's ok to login without." ;) Yet another reason why SQRLs "domain name" site authentication isn't a good idea.

Btw. I have heard even from credit card processors the same story. Oh, our API SSL cert expired, it's totally ok to to change settings that it's ignored. (duh!)