

Ask HN: Why doesn't Hacker News use HTTPS exclusively? - dewitt

I'm sitting in SF Superior Courthouse, waiting to see if I'll be selected for jury duty, using a public, open wifi network.  I can proxy the connection through a VPN for security of course, but I'm wondering why Hacker News, which already supports SSL/TLS (I'm hitting the HTTPS endpoint right now), doesn't use it exclusively.  Even some popular sites that operate at large scale (such as Google) are increasingly accepting SSL connections only for many of their products these days.<p>Would the admins of Hacker News consider making such a switch?
======
yoasif_
If you care to do this on as many sites as possible, use HTTPS Everywhere:

<https://www.eff.org/https-everywhere/>

As far as an argument for _not_ switching to HTTPS, HN is one of the very few
webs sites that loads up almost immediately on very bandwidth constrained/high
latency links in my experience.

HTTPS seems to add additional overhead, where loading these same pages can
time out or take forever to load.

~~~
dewitt
Thanks for the link to HTTPS Everywhere. I recall reading about it at launch,
but wanted to understand it better before installing. IIRC, it uses an
explicit whitelist of URLs that redirect from http to their secure equivalent,
which gave me pause, as it would seemingly be (theoretically) possible for a
malicious party to compromise the whitelist and hijack the redirects. I could
be wrong about the technique of course; I just wanted to wait until I
investigated the approach first.

Regarding latency, there are many sites, such as www.google.com itself, that
achieve low latencies even over SSL. Given the lightweight nature of HN, I
imagine it is at least worth the experiment. I'm using
<https://news.ycombinator.com> myself right now, and the latency, if any,
isn't noticeable. For me anyway.

Thanks again for the pointer to HTTPS Everywhere.

------
tobylane
There's nothing secret here, no private messages or personal data (email and
password aside). Until censorship is a worry HN is in the later groups of
websites to need https, followed by those with no login and no logging.

