SSL Padlock (Opera Users)

manjuice · 23 Aug 2007 at 18:45

Code:

http://login.live.com/

^
Do you see the padlock when you go on that site?

MarcLister · 23 Aug 2007 at 19:02

Code:

http://login.live.com

No.

Code:

https://login.live.com

Yes.

manjuice · 23 Aug 2007 at 19:13

Thanks

MarcLister · 23 Aug 2007 at 19:25

What was the problem then? Weren't sure if the padlock was meant to show or not?

manjuice · 23 Aug 2007 at 20:40

I wanted it to show, so login details would be encrypted.
Don't know why it doesn't show anymore in http://

MarcLister · 23 Aug 2007 at 20:43

I know what you mean. I've bookmarked the https version of the Fastmail link so I can keep my details encrypted.

Just bookmark the https://login.live.com and set a keyword of 'live' or 'hotmail' or something. That way you'll always sign in through the more secure way.

manjuice · 23 Aug 2007 at 21:41

Yup, thanks

MarcLister · 23 Aug 2007 at 21:43

Actually just thought, it'd be cool if the Opera guys could add something to the next version of Opera where when you go to a page with a login form, Opera scans the URL to see if a https version exists and then redirects you to that if there is one.

I haven't explained it well probably but I hope you get the gist of it.

manjuice · 23 Aug 2007 at 21:59

They probably could.
It'll be like typing 'bbc' in the address bar and opera scans for the first available extension, ie. .com

MarcLister · 23 Aug 2007 at 22:00

Yeah thats quite a cool little setting that. Would be cool if they could get this in future Opera builds.

tolien · 24 Aug 2007 at 00:39

MarcLister said:
Actually just thought, it'd be cool if the Opera guys could add something to the next version of Opera where when you go to a page with a login form, Opera scans the URL to see if a https version exists and then redirects you to that if there is one.

I wouldn't be too optimistic of that ever happening, given the heavy lifting and potential for hassle involved (at least, compared to recursing through a list of TLDs, adding one and seeing if it gives you a DNS response):

The browser would need to check that the page content was identical - connecting using HTTPS doesn't always get you the same result as HTTP, if you get a result at all. That means an extra load of traffic to servers, which would go down like a lead balloon.
The browser doesn't know that the page you're at is a login form, unless you make the assumption that every page with a form element called "password" (or whatever) is a login form.

As a prime example, this forum displays a password field on every page if you aren't logged in, but doesn't respond to HTTPS (when I just tried it).

The proper (and easy) way to do things would be for sites to redirect you to the SSL version.

MarcLister · 25 Aug 2007 at 13:03

tolien said:
I wouldn't be too optimistic of that ever happening, given the heavy lifting and potential for hassle involved (at least, compared to recursing through a list of TLDs, adding one and seeing if it gives you a DNS response):

The browser would need to check that the page content was identical - connecting using HTTPS doesn't always get you the same result as HTTP, if you get a result at all. That means an extra load of traffic to servers, which would go down like a lead balloon.

The browser doesn't know that the page you're at is a login form, unless you make the assumption that every page with a form element called "password" (or whatever) is a login form.

As a prime example, this forum displays a password field on every page if you aren't logged in, but doesn't respond to HTTPS (when I just tried it).

Yeah I can see the technicalities.

tolien said:
The proper (and easy) way to do things would be for sites to redirect you to the SSL version.

Would be a much better system I agree. Do any sites do this now?

tolien · 25 Aug 2007 at 15:25

MarcLister said:
Would be a much better system I agree. Do any sites do this now?

Zen's Webmail is the first example that came to mind.