Ispconfig seems to be inconsistent in its approach to security. During install many ssl certificates are created presumably to provide pops, imaps, etc. However, the default admin and user control panel pages are unprotected by ssl. I would like to see the default setup that is more secure.
If you want to have ssl on the controlpanel, we made a faq how to enable it: http://www.faqforge.com/linux/controlpanels/ispconfig3/enable-ssl-for-the-ispconfig-3-controlpanel/
