- The Sign-in page is over SSL, which is good:
- The Forgot password page, where you enter your username is also over HTTPS. Not strictly required, but good all the same:
- This sends you an email with a link to reset your password. This page is not over HTTPS:
- And submitting this form also goes to a page that is not over HTTPS:
Now they put the login page on HTTPS, which shows that they want to protect the user's password from sniffing, but the password reset form, which also accepts the user's password, sends the password in clear text over HTTP. This isn't good. If you're going to protect passwords via SSL, do it everywhere. FWIW, the userid (but not the username) is also sent in this form.
I've emailed email@example.com with these details, and am awaiting a response.
Update 2012-01-25 21:08 UTC: As of this time, Delicious have fixed the core issue of the password reset page being on HTTP. Kudos to the team for acting quickly. The secondary issue of third party scripts on this page still remains, but that's a policy decision for them, and not me.