Rap genius or genius.com has received a lot of funding and is doing well in terms of traffic and even at its current level they are not using SSL. What is up with that? I have opened the web inspector and even when logging in they make a plain http request which can reveal the password to any hacker that is sniffing packets.<p>Is there a reason for not using SSL?
I can't think of any good reasons not to use it. For the most basic of sites anyone who is serious and wants to protect consumers does what you can. Nothing is every 100% perfect, but not using SSL does seem like a pretty basic miss.<p>Just a quick glance at their site and I noticed that the forms are posting to relative paths like /user_session and just do a this.form.submit in the javascript. I didn't dig in so maybe I am missing something, but it seems insecure. There were a few scripts loaded via https, but didn't appear to be the login.<p>YC or not doesn't matter (at least to me), this is basic stuff that shouldn't be missed.<p>Captured from Chrome dev tools on the submit of the login form. Password is passed in plain text below.
authenticity_token:EqtHVWqGXo0b/yZ/pmFcslTzzyhsjJNwewhEBkRLJ9M=
user_session[login]:test
user_session[password]:test
user_session[remember_me]:0
user_session[remember_me]:1
commit:Login