On Sun, 6 Apr 2014, Stephen Farrell wrote: > ... > There is a value in not making cleartext versions of services > available though - I've personally seen a number of cases where > http:// URLs were sent via mail with instructions to login at > that URL using e.g. a datatracker or tools login. Yes, that ought > not happen (https:// URLs should be sent), but it does happen > and will so long as the http:// URLs work, and it'd be naive of > us to assume that everyone sending out such mails would be aware > that doing so isn't a good plan. Um, it is not difficult to protect the login credentials will leaving the remainder of the interaction in the clear. Then it won't matter what is the the email. I don't object to making TLS/et al access available when it can be done at a moderate cost. But that is different than the implied statement that the intent is to require TLS for future service access. I agree with those who've said a threat analysis is needed before deciding access is limited to TLS or other secure alternative.