Recently I registered for an IT Security event, hosting trade shows and seminars addressing IT-security. After registration and logging in on their website with the credentials which were sent to me (by e-mail, in plaintext) something occurred to me: I was missing the 'green lock' in my browser's address bar (). It turns out that the website happily lets you fill in your personal information and credentials over an unencrypted HTTP connection. Worse: it doesn't even support HTTPS at all. How can an organisation which is dedicated to IT-security justify such a potential information leak?
Once more it became clear to me that security is easy to preach, but pretty hard to put into practice.