Most programmers take a pragmatic approach to security and scale their efforts based on an estimate of the sensitivity of the data they are storing.
The unfortunate truth is that password security is frequently underestimated, making it easy for credentials to be sniffed or stolen. Users often keep a very small collection of passwords, with many people memorizing a small collection and using them on almost every site and service they use. A password compromise on one site can lead to a compromise on many.
Many websites offer the flexibility to display the same page via both SSL and HTTP. The major problem with offering this is the possibility that embedded content will not be served via the same protocol; many browsers will throw an error if an SSL page embeds HTTP images.
However, there is a simple and W3C valid solution to this problem. Simply omit the protocol and colon from the URL:
The drawback to doing this everywhere is that you must be conscious as to whether the resource you are linking to is available on both SSL and HTTPS. Embedded scripts from services like Google Analytics are well served by this technique. If your enterprise uses a dedicated image hosting server, this is also a highly appropriate solution.
Below is an email I got through Zend’s certified engineer website. The questions posed by the writer below are not uncommon, so I have posted his letter and my response for general consumption.