http://www.perlmonks.org?node_id=1213488

Hi Monks, again,

I am on an insecure and nosy (not noisy, nosy) connection and have realised that my password was just POSTed cleartext over to the Monastery. Understandably (firefox warns about that). I changed it using the https://perlmonks.org link. Though Jesus knows all the passwords. Obviously.

However, I am wondering...

I realise the increased computational burden of SSL on the Monastery's bit-pushing apparatus. And I am quite pragmatic as to what who gains my password can do with it ... Nothing really apart from flaggellating a fellow Monk or posting inefficient and buggy codes ...

So, what's the norm?

Personally, I would be comfortable with a middle way where the login form is send over SSL and then once successfully logged in it downgrades back to http. After that all sessions, posts etc are over http. Now what good that be? They can steal your cookie (I read in a past node). Yes sure, but still they do not have the password (**which one may share across many sites** - always pragmatically speaking) and the computational burden on the Monastery servers is kept low.

Please notice that downgrading back to http (after logging in via https) has to be done manually (as far as I can see), i.e. change browser's url to http a mano. So it is an incovenience on the digital fastlane.

So, question is: should I use https over all my perlmonks.org transactions after I log in and forget about manual changing https to http? Or log in via https and then manually go to http for reading/posting (accepting the risks associated with it but who cares)? However, logging in via http is not going to happen for me anymore. I hate gloating script kids.

Edit: what about changing perlmonks' login form's names for username and password to something like a and b. And the login url to something less revealing? Just a thought.