You only answered 1/2 the question above.
See http://apple.slashdot.org/story/12/02/12/1530252/southwest-airlines-iphone-app-unencrypted-vulnerable-to-eavesdroppers?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+(Slashdot) for latest impact of unencrypted passwords over the internet.
You seriously think so?
Q1) Doesn’t mailman run on Apache?
Q2) Doesn’t Apache have the ability to determine which domain the incoming request is for and serve up the appropriate certificate?
Q3) a) If 1&2 are correct, can’t Apache be readily configured to serve up the Certificate the domain owner has purchased?
b) If 1 and/or 2 are wrong, I don’t think that the list owners would balk at using a Dreamhost certificate to protect the list passwords and help keep hackers & spammers off of our lists.
As for MailManager, having that as HTTP Only is even worse than what happened to Southwest Airlines and their webapp. See above questions.
NOTE: Webmail access gives:
"Invalid Certificate: The certificate is only valid for the following names:
webmail.dreamhost.com , www.webmail.dreamhost.com"
It’s not as if you are using domain specific certificates in all domain related areas currently. What I am really asking is to at a MINIMUM (more would be nice, but minimum would be good) is to secure all password protected pages at least with the Dreamhost SSL or TLS Certificates (preferably the latter).