@steve_piercy the issue is if the login form is http, a network attacker can substitute her own flash object and have it submit to her