SSL security

[Staples]

I have a few credit cards. One of them I pay online at chase.com. I have noticed that when you submit your user/password, you are submitting them to an SSL session however the login form is not served from within an SSL session. Since you are not within an SSL session when you are entering the credentials, is your data still safe?

This seems to be the only instance I have ever seen of a site that uses SSL where the actual login form is not served from within the SSL session.

 

[FreiDOg]

While it's bad form not to have the login page itself in a secure connection (in my opinion at least because it makes it less clear to the user their information is secure), nothing needs to be over a secure connection until you submit your login.

You haven't given any personal information out until you clicked 'login,' so as long as that button does its post to an https connection, your information is protected. In IE7 and with some extensions in FireFox (which I can't remember right now), you can hover the mouse over most buttons to get the url the same as you can do with a hyperlink to verify they are using an https connection to submit your information.

 

[hokatichenci]

Given a webpage of with HTML requesting a login and a password (ie, basic form action)

What is the difference between:
That webpage pointing to a https form action
That webpage pointing to a http form action

Additionally, what is the difference between:
That webpage served from https, pointing to a https form action
That webpage served from https, pointing to a http form action

Don't ever assume identity, especially those who you place money with. I force my client to https on all of my banking sites on the login screen.