
How to work around chrome “Not Secure” with HTTP login - bullen
http://binarytask.com
======
Piskvorrr
The authors haven't read this, have they?
[https://news.ycombinator.com/item?id=13456706](https://news.ycombinator.com/item?id=13456706)

In other words, it's not enough to capture the keydown event. They have broken
native browser functionality and made it less secure - for negligible gain.
(That's not to speak of the free, simple and secure HTTPS solution available,
_ahem_ LetsEncrypt _ahem_ )

~~~
bullen
This actually hashes the password with a salt which atleast avoids sending the
password in clear text.

Having a governmental/"big company" hackable security solution wasting many
gigawatts and countless hours (ahem LetsEncrypt ahem) is sad.

Instead build your own security IF and WHEN you need it.

But you can keep encrypting those un-cacheable images if you want, and good
luck debugging that HTTPS stream!

The same goes for HTTP/2 (only moves head-of-line issue to the TCP layer) and
WebSockets (completely over-engineered solution to an already solved problem,
see comet-stream).

~~~
Piskvorrr
Main issue is with UX - password manager integration? Nope. Pasting? Nope.
Avoiding a warning "insecure form" on an insecure form? Well yeah. Here, have
a cookie.

Countless hours? Took me all of 15 minutes. Debugging HTTPS? Fiddler.

~~~
bullen
Thx, I like cookies, talking of cookies; did you know they are going to remove
those "We use cookies, do you accept?" annoyances soon, this "Not Secure"
kinda reminds me of that. It's political, not technical.

~~~
Piskvorrr
Nope. "Naive hashing" versus "actual crypto" is indeed technical, not
political. There are at least three different ways in which your "secure"
password field is actually insecure (and thus deserves the label "not
secure").

~~~
bullen
Yes, but security is always in a context. I will not use this login for stuff
that requires security, like my bitcoin bank for example, there I will use the
same idea (hashing) but with a secret stored and encrypted on the clients
machine. Always build what you need when you need it! Also HTTPS is really
insecure when you have a root cert like all governements/big companies have.

~~~
Piskvorrr
There's a pretty wide gap between "no security" and "government-adversary
security". Most attacks happen on the lower levels of sophistication, a.k.a.
by script kiddies. HTTPS fixes that pretty efficiently. Also, big companies
have root certs - but trusted outside their perimeter? I think not.

Edit: Also, _you_ won't, but what about other users? The label was there to
warn them "this is not secure, be aware of it". You took that away Because It
Looks Ugly (I still don't see another reason for that) and make the browser
pretend that it's not insecure.

~~~
bullen
It's not more insecure than it has been for the past 20 years. Actually it's
more secure and the script kiddies can only hack it if your password is in
their dictionary.

I'm not concerned with script kiddies, I'm concerned with google and co +
governments. In that context this is actually more secure. Yes, large
companies and governments have root certs that are in your browser right now.

