I would like to make log in process more safely. And to achieve it i’m thinking to start using https. I have never used it before.
Now on main page user see login link, and div with login form already loaded with the main page together. User click on login link and see immediately LoginForm. in action attributes of form I will put url beginning from htts. So my question: Will these username and password send out by protected protocol or not ?
P.S. I have no registeres certificate, so most modern browsers actually show page about risks … so how usually everyone solve such issues?
The entire HTTP request will be encrypted, including headers and query parameters (more details in this answer).
However, you should also make sure the landing page is using HTTPS. A essential point of the security offered by HTTPS is that only the client can really check it: the user has to see it in use via the user interface first. You’ll find more details in this OWASP rule (and in this previous answer to a similar question).
As for the browser warnings regarding your cert: you’ll need to get a certificate from a CA recognised by most browsers.