The following question was asked by a classmate who is registered on our site:

"When the login screen pops up shouldn't it go to a secure https site? As of right now, it does not."

I'm not quite sure how to answer that one. Is this something to be concerned about and how would you answer this?

Thanks for everything!

Very good question.

There are 2 reasons we don't use an https login page:

1) Your login page is the same as your home page. Anyone who wanted an https address would have to buy their own Secure ID, which is typically around a couple hundred dollars per year. Basically that would triple the cost of using Class Creator. It's either that or make all home pages come up under a ClassCreator.com address instead of your own domain name, which nobody would want.

2) Because you control your home page you have the ability to add all kinds of code and third party objects to it. The vast majority of people here do. If you secured your home page through https, then you would also have to secure every single object you add to your home page. It would be impossible to do that in many cases, as many objects themselves wouldn't be secured at the third party server. When that happens, i.e. you're running a secure page with some elements that are not secured, what you get is a big ugly warning when you visit the page saying that portions of the site are insecure. Obviously that would be a real problem too.

By and large https is reserved for extremely sensitive information, such as credit card transactions. It's not tyipcally used in login environments like this, although your Classmate is correct, if it were it would make the page that much more secure. Just because the page is not using https doesn't make it easy for people to crack your account though. It would still be hard for most people to crack. Even Facebook doesn't use an https login page. I'd tell your Classmate it's an excellent observation, but I wouldn't spend too much time worrying about accounts being cracked. With over 700,000 people on the system now I'm unaware of one single incident where an account was cracked due to not using an https login screen. Even if it ever did happen, inside the system we hide the extremely sensitive information anyway, such as your credit card number. A hacker who got into your account would have no means whatsoever of geting your credit card information even though they were in there.

Thanks Brad for the prompt response! Great information and it really clarified things.
You guys are wonderful!