

Plaintext passwords at HN, Reddit, Digg, Slashdot? - tzs

I just noticed that Hacker News, Reddit, Digg, and Slashdot all submit login information via plain HTTP, not HTTPS. The login name and password are readily apparent to anyone with a packet sniffer.<p>This was surprising to me. Am I missing something?<p>When I checked the login pages of these sites using "Inspect Element" in Safari and saw that they all appeared to submit in plaintext, I assumed that there was some Javascript or something that would override that, but I just logged into all of these sites with a tcpdump capturing the login, and verified that my credentials were indeed in plain text.
======
dspillett
Many sites do this, which is why when I'm on a public wireless setup (or other
relatively untrusted network) nothing leaves my machine except through my
OpenVPN setup.

Even if the login procedure were protected by HTTPS though, damage can still
be done if the rest of the session reverts to plain HTTP, Someone sniffing the
wireless (or the wire, for that matter) for usernames and passwords could
equality sniff for session IDs and use them to mimic you in the web server's
eye (so they can read your otherwise private data, posting as you, and so
forth).

So if you are concerned that your login credentials are sent plain, you should
be concerned that other data (session information specifically) is too.

~~~
brandoncor
What about servers setting the secure flag on their cookies and redirecting to
https?

