please correct me if i am wrong with any of the following... as far as i am aware, https really only protects from anybody between user and server intercepting unencrypted data. so if you have malware on your computer that logs and sends data you before it gets encrypted by https, you are still screwed. hence the virtual keyboards for internet cafes and such. now... i was thinking about this from the point of view whether it would even theoretically make sense to get an https certificate for my website. because... unless the network people use at home has been compromised, chances seem to be really low that somewhere between user and ISP or ISP and my server, there could be some private person intercepting the data. and since would i operate a website that people are unlikely to access from work and i don't see it as my responsibility to protect people who don't take care of the security of their network at home, i wonder why i should even bother (plus, it's also not like people would store sensitive information on my site that privacy would be such a big deal... don't get me wrong - i love it and i would want it everywhere but... in this case, i would have to pay for it and since it's a small private project, it just seems like it wouldn't be worth it). i also started to think about this because i thought about how to provide secure access to an "admin frontend" for the website. and when i thought about whether it would be possible without https, i realized that unless my own network is compromised, https wouldn't give me more security. just privacy regarding what my ISP can see. so the only thing that could realistically happen would be that some malware slips through my scanners. and to battle that - i am actually wondering which would be more secure... logging in with a virtual keyboard or with a randomly generated hash that i send to my email address and remove immediately after each login (and the login times out after 15 minutes or so)?