Request For Enhancement: Always use Enhanced Security (includes poll)

Question

Request for Enhancement:   I'm of the persuasion that passwords should always be transmitted over secure channels.  With this in mind, it would be great if LiveID always used Enhanced Security.  Both Yahoo and Google always use SSL for signons these days.  Is there any reason not to move to Enhanced Security 100% of the time?

I searched the forums before posting this, but came up empty handed.  My apologies if it has already been discussed in the past.

Share your thoughts by taking this poll:

"Should LiveID always use Enhanced Security (SSL)?"
http://answers.polldaddy.com/poll/2195371/

Answer 1

Hi, the creds are always transmitted over a secure channel.

thx
Angus

---

Angus Logan | Technical Product Manager | Windows Live Platform | http://blogs.msdn.com/angus_logan

Answer 2

Thanks for the info.  Upon closer inspection, by looking at the HTML source, I see that the POST is indeed over HTTPS via JavaScript even when using Standard Security.  This is comforting. 

However, I think the vast majority of users seeing http:// instead of https:// in the browser's URL will think their transmission will be insecure.

Answer 3

I guess the reason for it, is speed. It takes a few milliseconds to set up an SSL/TLS handshake and I can understand that it's unnecessary on the initial page. Only after submitting the credentials they should be secured (by SSL). By the way, https://login.live.com has an EV-SSL certificate, which makes the bar turn green.