creating secure log-in with php and ssl

Question

In the past whenever I have developed a system with secure authentication i have just used ssl with the entire application so that all connections between the server are encrypted. However the application I am currently developing doesnt require this - only the payment process and the login has to be encrypted.

The style of login is much like Facebooks - the username and password is on the index page but I dont want this page to be encrypted using ssl as it would slow down the delivery time. If you look at facebook they have the same page there index page is not ssl. But when you actually login they divert you to an ssl subdomain and authenticate there.

My question: When my users click login and then are transferred to the secure subdomain is there not some point when there details are sent in plain text? How do they manage to secure this?

Thanks

Answer 1

No. If the login form submits to a https address then the form details are encrypted before being sent to the secure server.

Answer 2

Zaf is right about the data being encrypted before transmission.
But sending the login form itself via https has its advantages. The browser can check the origin of that document before the user provides any credentials.
E.g. when I use google's login form there's a blue area left to firefox' url bar showing me that the certificate used for that response was signed by Thwate for google.com.
Or take the login of the Deutsche Bank. It uses an extended validation certificate and is fully trusted by firefox which therefore shows a green area telling me that this site is run by "Deutsche Bank AG". That makes it a lot harder to plant a fraud login page on me.
Is using https for sending the login form really that much slower?