security and fancy crypto on the server don't mean much if your frontend interface submits passwords in plain text over the wire. a secure service shouldn't even serve up content on non-https URLs.
I completely agree. We didn't install a cert since there were some doubts around wether we would sign it ourselves or not.
Either what we decide, a self signed cert is better than none, hence this is now fixed. All http traffic is now redirected to https using a 2048 bit self signed certificate :-)
