Scenario: the web page I'm on uses HTTP. It includes a form to login. The form action uses HTTPS.
Question: are my login credentials secure, or must the page I'm on use HTTPS also?
Follow-up from: https://twitter.com/falkowski/status/525354785437147136
Technically, it is only the form action that requires HTTPS.
However, IE in particular complains mightily when you try to mix secure and insecure resources. In addition, having such a configuration indicates that the writers of that service are being lazy.
The design would preclude the latest security configurations such as Strict Transport Security & Perfect Forward Secrecy and will also prevent the site from using SPDY. Bad design.
Even worse from a user perspective is that it is almost impossible to check that the site is using a secure connection and it would be trivial for that form submission to be changed to non-secure without anyone being any the wiser. Bad design!!
I would point out though, that with was common practice a few years ago when HTTPS was a significant overhead on web servers. Things have moved on though and this is no longer the case.
Reference from another thread: Is it secure to submit from a HTTP form to HTTPS?
TLDR: the submission itself is technically secure, but because the surrounding page is susceptible to a MITM attack it's not.
