Direct Debit
has no one heard of using direct debit???.. then their is no need to use their site to pay your bill
cant get safer than that....
A British Gas website that allows homeowners to pay bills leaves consumers exposed by inviting them to submit credit card information across an unencrypted link. Consumers logging on to pay their bills through house.co.uk initially go through a secure server. But once they create an account and login they may be transferred …
This is such a schoolboy error, especially when it's so easy to fix. Every page I code that takes credit card details or something equally private, I insert a simple check for HTTP, in which case it redirects to the same address over HTTPS. Then, even if I'm a muppet enough to link to it over the insecure address from somewhere else, it's still caught.
Mind you, short of the browser screaming at the user and bludgeoning them with a e-sledgehammer, it's very hard to get people to check for the secure link. Maybe browsers should start panicking and warn the user if they start filling out a form with credit-card-like details over an insecure connection.
Ian's method is the best way -- always make your page checks for HTTPS on its own; never trust that the user got to the page via HTTPS. Check for HTTPS, and if it's not secure, redirect to HTTPS. Simple, easy, secure.
However, while Ian's suggestion of having browsers scream at the users if they start to enter information into a non-HTTPS form, I don't think that would do any good. I can't even count the number of times I have been at a client's and I saw them click OK on an error screen; when I ask them what it said, it's always the same answer -- "I don't know". Users are in the habit of clicking "OK" (which explains why so many are infected by spyware), that they don't even bother reading the error screens anymore.