I can't believe such an uninformed and dangerous post is sitting in public, implicitly endorsed by 37signals.
From the URL it looks like may be getting pulled out of an svn repo or some other internal resource. Nonetheless, they need to get rid of this, because I certainly would have hestitation in using their software if they do not understand such fundamental aspects of security as this.
Quite apart from the dangerous notion of mixing SSL and non-SSL content, even the part about caching is just plain wrong. Recent browsers will cache SSL resources to disk if you send appropriate cache-control headers (this was one of the huge issues fixed in FF3.0).
The "svn" in the url is a reference to the name of the blog: "Signal vs. Noise". It is very much in public, the second link on their front page goes to it.
From the URL it looks like may be getting pulled out of an svn repo or some other internal resource. Nonetheless, they need to get rid of this, because I certainly would have hestitation in using their software if they do not understand such fundamental aspects of security as this.
Quite apart from the dangerous notion of mixing SSL and non-SSL content, even the part about caching is just plain wrong. Recent browsers will cache SSL resources to disk if you send appropriate cache-control headers (this was one of the huge issues fixed in FF3.0).