Yes, you have HTTPS correctly identified. It uses SSL ("Secure Sockets Layer", basically an intermediate 'layer' on top of the transport mechanism and below the HTTP level) to make all traffic on top encrypted.
The problem was that it was an option only if you went to a preferences page, and even then it wasn't exactly obvious. By default, if you created a gmail account the option was set to HTTP, you had to take special action to change it.
The thing is that there was no excuse at all for them to use non-secure HTTP for the rest of the site. Since you had to use HTTPS to log in they could just have easily stayed with HTTPS for the rest of the session (if your browser couldn't support HTTPS -- and as far as I know all browsers available now can -- then you couldn't have logged on at all).
This contrasts with LJ, which allows you to log in using non-secure HTTP if you need to and then the rest of the transactions are all HTTP regardless of how you logged on. In LJ's case they would need to remember which was used for logging in (or whether the person was logged in at all) and use that, which would make the generation of links more difficult. Or stop supporting HTTP entirely.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
branchandroot
no subject
Date: 2008-09-09 11:13 am (UTC)The problem was that it was an option only if you went to a preferences page, and even then it wasn't exactly obvious. By default, if you created a gmail account the option was set to HTTP, you had to take special action to change it.
The thing is that there was no excuse at all for them to use non-secure HTTP for the rest of the site. Since you had to use HTTPS to log in they could just have easily stayed with HTTPS for the rest of the session (if your browser couldn't support HTTPS -- and as far as I know all browsers available now can -- then you couldn't have logged on at all).
This contrasts with LJ, which allows you to log in using non-secure HTTP if you need to and then the rest of the transactions are all HTTP regardless of how you logged on. In LJ's case they would need to remember which was used for logging in (or whether the person was logged in at all) and use that, which would make the generation of links more difficult. Or stop supporting HTTP entirely.