Just about everyone I ask tells me that it's best practice to implement SSL/HTTPS for any login page (to protect user passwords), but then I notice that HN doesn't use SSL/HTTPS for login. Am I missing something? Is it risky to use the HN login on public networks?<p>Sorry in advance if this has been covered before-- I did a quick search and didn't see any recent posts...
It wouldn't be so bad except cookies aren't invalided when you change your password. I changed mine a few days ago, and didn't have to login again on any of my other computers. So once your cookie is sniffed, that person is you forever.
Probably one of these two:<p>1)HN is a side project for a busy man, and SSL/HTTPS simply isn't very high on the feature list.<p>2) Arc, the language HN is written in, doesn't support SSL/HTTPS
once you login and the fact that you're logged in is passed around via a cookie, unless the entire interaction with the website is over HTTPS, the session can be hijacked in any wifi coffeehouse, rendering the limited usage of HTTPS mostly pointless.
It's a social news site low risk target for that sort of thing. When it started the aggregate tech level was high enough that pretty much everyone knew to use a different password on each site as a best practice. Now not so much. In any event he was busy and decided that it was a low enough risk for the password to be sent in the clear as the damage that could potentially be caused is low. (a few bunk comments, changing the email address/password, etc....) At least that is what I recall him posting here before when this question came up before.
I will never understand what peoples' obsession with security for the sake of obsession is. This is a website where I sometimes log in for the purposes of writing snarky comments. I'm not keeping my banking information on here, or any PII (besides my username I guess), or any health records or what have you.<p>Will someone please explain to me in succinct terms what the purpose for having a super-secure login would be -- that is, what the threat and how SSL will protect against it??
Speaking as an information security professional, it is a damn good idea to implement SSL/TLS on any login field.<p>That said, as (mostly) technical people here at HN, we should realize that putting our machines in a position where traffic could be sniffed or altered--that is, on the same public WiFi or subnet as a malicious user--is risky to begin with. DNS and ARP poisoning could redirect any HTTP requests to anywhere else on the Internet whether or not it's trying to initiate an encrypted connection. SSL is an important aspect of security, but can't be relied upon to protect you in a hostile environment.
Same reason you don't secure your front door with an electronic time lock, armed guards and dogs on patrol: it's not that much of a threat.<p>In the very unlikely event that my HN password gets sniffed, I'll need to change my username or ask for a password reset. Worst case is someone posts a few derogatory comments under my name. I'll survive! The same password is used on a few other sites where the loss to me would be about the same: not a big deal.
I'm just wondering, everyone was pissed off with Gawker because it didn't use best practices to secure it's users. Well, you could say it was their duty to do so.<p>I can't imagine why anyone would break into HN, but if it actually happened, who would be to blame?<p>Update: Corrected Typo
Obviously it would cost money. Obviously some people want it to happen. Maybe pg could tell us how much it would cost (counting his time at whatever rate he pleases), and we could do a kickstart to raise it?
pg does not tell us on the register page "Hey, say bye bye to your password!". Password that probably lands on a plain text file too, in clear, super-clear, without hashing...<p>Arc missing SSL support, HN is a side project, pg-pg-pg-is-a-busy-man, CPU usage, $$... WTF!? You better do it right, or don't do it at all.<p>When months ago I registered, I used a "serious" password.
Then, curious, I took a look at the page source... aargh, no SSL!<p>Immediately I changed my password with an "offensive" one. And I invite everyone to do the same. Hey pg, hey sniffers, you can read my password, don't you? Go, go, go to read my password!<p>And as usual, pg fanboys, please be rapid downvoting me.<p>State of the art and best practices FTW!!!