He's not using Strict Transport Security. The cookies that I can see don't have the secure flag set. I can't see a session cookie as I will not sign up to this service until he fixes the login. But I'm going to assume he hasn't set the secure flag on that either.

Which all boils down to the following: An active MITM can trivially steal your session cookie and take over your account.

Https should be default when handling logins. I won't use one of my strong passwords on non-https websites.