

The HN login page seems highly insecure- Can any of you pros give an assessment? - drcode

I noticed that the login page for HN doesn't have any meaningful security, with no use of SSL: http://news.ycombinator.com/newslogin?whence=news<p>It seems it would be trivial for someone sniffing packets on the network to steal your HN password- Am I right about this?<p>I'm not asking this because I'm a stickler for web security: Actually, I'm asking because I'm creating my own website right now and would <i>love</i> to get away with such a crude, easy to program login mechanism :-)
======
Mamady
Q: If someone were to steal your HN password... whats the worst that could
happen?

A: Not much.

It would seem extra security layers wouldn't provide much benefit.

~~~
drcode
The only person who could get hurt is the one who uses the same password for
HN as they do for their bank. Is it the responsibility of the website
developer to protect that person from themselves?

~~~
corkill
Protect them from themselves no.

Protect their password as much as possible when interacting with your web
app/website I would say yes.

I don't think about it as a responsibility rather just a nice or the right
thing to do.

~~~
manuscreationis
I would definitely say it's the responsibility of the application developer to
secure user account information, in addition to being the nice/right thing to
do.

------
bdfh42
No money involved here and (as you are an HN type) you will be using a unique
password.

Accessing HN from your own devices, then you will probably stay logged in - so
not much to "sniff".

Additional security would be all pain with very little gain in my opinion.

~~~
drcode
That basically answers my question, assuming other HNers agree with you: For
my own website I will also have nothing of real value and so there's no real
danger if someone gets hacked. The only real danger is for bozos who use the
same password for HN as they do for their citibank account...

~~~
FuzzyDunlop
If your site has nothing of real value, then why are you requiring a login in
the first place?

Further to that, if someone gets 'hacked' using your service, you've already
highlighted that the vulnerability was using your no value service.

Don't skimp on basic security. And show your potential users a little less
contempt, too. They are not the 'bozos' here.

~~~
mustafa0x
Users who have the same password for HN and their bank are indeed bozos.

~~~
manuscreationis
That isn't the point.

No one here is saying that users shouldn't have better password policies. They
should.

What is being said is that having a devil-may-care attitude toward safe
guarding your users account data is not ok.

If you use your bank password for anything other than your bank, you're
clearly not taking security seriously.

If you think you shouldn't have to properly secure user account information,
you're clearly not taking security seriously.

Both parties can be wrong, but that doesn't excuse either side.

~~~
mustafa0x
It was the point drcode was making (which FuzzyDunlop misunderstood):

> The only real danger is for bozos who use the same password for HN as they
> do for their citibank account

\---

Excuse my pedantry, but I'd advise against saying "That isn't the point.", for
it conflicts with a well known writing technique:
<http://en.wikipedia.org/wiki/Show,_don%27t_tell>

If you insist on doing so, consider a more polite alternative. E.g. "it's
seems you've missed the point", "perhaps you've misunderstood", "I feel that
so-and-so was saying something else".

------
loftsy
How about using this: <http://www.mozilla.org/en-US/persona/> for your easy to
program login mechanism.

~~~
drcode
That is somewhat easy, but I don't need anyone's email address and find it
annoying when sites require you to provide it (HN doesn't)

------
bradfa
If you simply go to that login, but s/http/https/, voila! ssl!

I was initially confused by your question, apparently HN is always using https
for me.

~~~
drcode
Well, it's definitely http by default for me, but I agree completely that a
knowledgeable person would switch to https before logging in.

~~~
Firehed
And a knowledgeable developer would do that automatically. It's not a user's
job to know to do this, and it's not a developer's job to train users to know
this. You need security turned on by default, end of discussion.

Is HN a site with sensitive information? Not particularly, unless you put way
too much faith in your karma. That doesn't make a default behavior of sending
passwords over plaintext excusable. And despite most HN users knowing better,
I guarantee there's plenty of password re-use here (hopefully re-use of the
throw-away password that most people have, but that does't make the situation
any more acceptable).

------
yashchandra
I think there is SSL but you have to manually change http to https in the
login URL.

