Ministry pages from which the user can sign in (maybe all of them) should use HTTPS
For more info:https://blog.mozilla.org/tanvi/2016/01/28/no-more-passwords-over-http-please/
Seconded. I am no web programmer but my perception is that right now it's possible to use HTTPS with these pages but that this is not the default. It should be the default for all multiverse pages that include a sign-in (e.g. Anacreon).
Google and Mozilla are getting more in-your-face about the problem with secure logins embedded in insecure pages. See screenshot. And you're right that it works with https, so http should just redirect to https.
Could have sworn that I made a ticket on this before, but I certainly third this.