I think I have a pretty good understanding of what a Secure Socket Layer is for, but I have a question regarding how it's being used by some companies that puzzles me....

One of my major clients is a community bank. They would like to put a login form for their online banking site on the home page of their web site.

To me, a login name and password is information that should not be sent in plain text, so I would think that if a login form is put on the home page, the home page should be on a secure socket layer, no? (Well, I feel that the login page should not be on the homepage because most people won't know to type "https://" when visiting the site, hence I'd have to redirect all users to the secure portion of the site every time they hit the home page.)

The reason why I'm asking this is that some *big banks* do have their login pages on a secure (SSL) page, where as some don't. For example, http://www.wellsfargo.com/ doesn't have their home page on an SSL, but they have a login form on it... is that a good idea? From my understanding, a username and password sent from the Wells Fargo home page would be sent in plain text from the client browser to the secure server... creating a security risk, no? Am I missing something? Wells Fargo's "security" link (just below the login form) claims that all communications are encrypted, even though the home page is not on an SSL... how is that possible?

Thanks in advance...