|First off, I'm not trying to tattle on my web host here. In a forum post, for my web hosting service, I made the following statement.|
"I already feel exposed having to login to the forums without an https login page."
This was in a discussion about their lack of support for encrypted password transmission for their mail server.
The reply I got from my host was.
"I don't know of a forum anywhere that uses an https login.
As far as account compromises that we see (and we see a lot of them), they are almost exclusively due to compromised home or workplace computers, or insecure web sites, not intercepted Internet traffic.
I'm not saying it doesn't happen anymore, but it's exceptionally rare these days, primarily because it's infinitely easier to drop malware or viruses on tens or hundreds of thousands of people in one fell swoop than it is to intercept and analyze an individual users traffic looking for logins.
Security concerns are certainly always valid, and if you have reason to believe someone is targeting you, I can understand the desire for heightened security everywhere you enter a login. But the fact is most people would be better served ensuring security closer to home."
I can understand the claim that accounts are more likely to be compromised by user's not being careful with their own computers, but something about this reply is lowering my confidence. The reason is that many users will create forum accounts using the same credentials (as their host control panel login), which makes for an easy target IMO.
Is this (non-ssl login page) really as common practice as the reply claims? And if so, shouldn't that be changed, or am I just being too paranoid?
EDIT: Clarified statement.