Hi,

I am aware of the earlier threads but the answers provided just try to avoid acknowledging the issue...

When setting up a custom login page I don't see any option to use an SSL certificate.

Right now you avoid dealing with the SSL certificates binding by serving plain HTTP. This won't work for long and most browsers will display a warning when trying to access HTTP websites, since they are unsecure.

The issue is even worse since it contains the login form. Although you use an IFrame on HTTPS .. that very code can be changed since it's served over plain HTTP.

A Man-in-the-middle attack can replace the iframe code and could render a similar iframe that points to another location, or just posts the data to two endpoints, a malicious one and the real endpoint.

Two solutions are possible:

 - allow customers to upload their own certificate for their chosen subdomain (since they own the domain, they can generate a certificate just for the mail.domain.com for you to use) (this should be free for the user since he already pays for it by himself)

- add possibility for clients to buy a certificate from you if they can't generate the certificate themselves (this can be offered for a premium)

Either way, the infrastructure needs to support managing these certificates on the Backend (as well as frontend)

My guess is, you already assessed the profit/effort and maybe the simulations don't make it look like something worth pursuing. However, the time has passed and all major browser now display warnings and in the near future they will make it even more scary for people to access these pages. And for good reasons .. it's very unsecure and should be avoided at all cost .. especially for critical pages like a login form...

The question is ... when are you going to fix this and offer at least one of the two options suggested above?

Regards,

Dan