[[[You get a plain old HTTP connection until you log in, at which point they automatically switch to HTTPS encryption. Makes sense.]]] [Actually, no, it's completely insecure if the login form is delivered over HTTP. A network based attacker can steal your credentials by changing the form.] @Eric Lawrence, you're absolutely right. But it's actually even worse than that. If your users ever access (or try to access) your site through plain HTTP you have a problem: a man-in-the-middle can intercept this request and prevent the switch to HTTPS. The solution proposed in the OP offers increased security if and only if end-users will notice not being switched over to HTTPS and conclude that they are subject to a MITM attack. Highly unlikely I would say. Perhaps I'm biased (I work on http://www.anyfinetworks.com ), but I think link level security has its place.