Use a https-URL for $htsrv_url.

E.g. in /conf/_advanced.php set $htsrv_url to:

$htsrv_url = 'https://'.substr( $baseurl, 7 ).$htsrv_subdir; // cut off "http://" from $baseurl

or just

$htsrv_url = 'https://example.com/htsrv/';

(In version 1.9 there will be $htsrv_url_sensitive, which the get used only for login and other places where passwords are involved, but not for /htsrv/call_plugin.php for example.)

blueyed, that worked like a charm! To be really safe, I also added an .htaccess file in blogs/ that reads:

<Files admin.php> 
SSLRequireSSL 
</Files>

This will actually protect admin.php from being called under plain ole http.

Now, I'm trying to figure out how to change the "admin" link on the skins to go to https. I think I found the spot..in blogs/inc/MODEL/users/_user.funcs.php, line 290. But I'm not sure how to change it to https there.

I found it! I just needed to go into _advanced.php and replace the line that reads:

$admin_url = $baseurl.$dispatcher; */

with

$admin_url = 'https://'.substr( $baseurl, 7 ).$dispatcher;

WooHoo! My installation of b2evolution is now safely running all admin functions behind https! I'm feeling ever so much more secure! Thanks again blueyed!

No problem. I did quite the same thing.. :)

Passwords should not travel unencrypted.