Secure Logins

25 Jan 2006

I use Yahoo for a few of their services. As Aaron notes, Yahoo makes you log in excessively. This is a bit annoying, especially since each login usually requires multiple clicks for me - I always choose the secure option, because it submits the form over SSL, and this isn't the default. (If my wife has been using the computer, it usually also means that I have to log her out first, but that's another story.)

Recently, Yahoo removed the secure option:

If you read the fine print, however, you'll see "Submits over SSL." The problem is that Yahoo has focused too much on the technical issues and not enough on the social ones. The average user looks for the lock icon when entering sensitive data into a form. Although it's not required that the login form itself be sent over a secure connection, the average user doesn't know this.

If you view source (which is the only way to verify Yahoo's claim prior to submitting the form), you'll see that they're telling the truth:

Wouldn't it be nice if browsers could give us a visual indication that a form's action uses the https scheme? Imagine a cursor with a lock icon beside it:

Anyone want to write a Firefox plugin? :-)