And it is not possible to fix these flaws?
Regards, Lars.
I'm not sure how it was previously but in 3.x moving to HTTPS site wide is fairly easy, out of curiosity why would you want to fix the flaws and use HTTPS only for login when someone could do a MITM attack and grab the authentication cookie of an administrator. Maybe I'm missing something but it just seems like a great way to potentially give someone open season on your install.