

Ask HN: Should a login page use SSL? - MarkHarmon

First off, I&#x27;m not trying to tattle on my web host here. In a forum post, for my web hosting service, I made the following statement.<p>&quot;I already feel exposed having to login to the forums without an https login page.&quot;<p>This was in a discussion about their lack of support for encrypted password transmission for their mail server.<p>The reply I got from my host was.<p>&quot;I don&#x27;t know of a forum anywhere that uses an https login.<p>As far as account compromises that we see (and we see a lot of them), they are almost exclusively due to compromised home or workplace computers, or insecure web sites, not intercepted Internet traffic.<p>I&#x27;m not saying it doesn&#x27;t happen anymore, but it&#x27;s exceptionally rare these days, primarily because it&#x27;s infinitely easier to drop malware or viruses on tens or hundreds of thousands of people in one fell swoop than it is to intercept and analyze an individual users traffic looking for logins.<p>Security concerns are certainly always valid, and if you have reason to believe someone is targeting you, I can understand the desire for heightened security everywhere you enter a login. But the fact is most people would be better served ensuring security closer to home.&quot;<p>I can understand the claim that accounts are more likely to be compromised by user&#x27;s not being careful with their own computers, but something about this reply is lowering my confidence. The reason is that many users will create forum accounts using the same credentials (as their host control panel login), which makes for an easy target IMO.<p>Is this (non-ssl login page) really as common practice as the reply claims? And if so, shouldn&#x27;t that be changed, or am I just being too paranoid?<p>EDIT: Clarified statement.
======
tectonic
Yes.

Beyond that, there's really no excuse for not using SSL everywhere now. If a
site has user data, or requires any sort of login, it should use SSL
everywhere.

------
mechanical_fish
You're correct about the forums, of course, but obviously the real problem is
this:

 _their lack of support for encrypted password transmission for their mail
server_

Unacceptable. Get the heck out of there before you lose something vital.

That's the thing about being shipshape. Why do you focus on getting the little
things right? Because the attitude you bring to the little things is the same
one you bring to the big things. And because, especially in security or
reliability, big problems are built out of minor problems that accumulate or
escalate without warning.

------
minglot
You absolutely should have SSL be required when having a login form. Like
'ctb_mg' said, it's hard to believe we are having this discussion. It's scary
where plaintext goes and how easy it is to intercept.

The tough thing is that not too many years ago it was perfectly normal to not
use https for logins into anything except ecommerce, online banking, and
serious corporate and government stuff. Even Gmail didn't default to https
until a few years ago - long after they were huge!

We also have to remember that SSL certificates suffered a lot on shared
hosting due to dedicated IP requirements (until SNI) and just plain being
difficult and confusing to setup. That's a huge barrier for Average Joe that
wants to setup a forum about race cars or Average Jane who just wants to
manage her own website via CMS.

So now we have tonnes of legacy systems and people who simply haven't gotten
the memo yet. All of which is to say that yes your host should use SSL, but
it's going to be a long time before you see this practiced by the majority of
websites. I'd say your host might be the norm instead of the exception.

Unfortunately their attitude might be indicative about how they think about
the rest of their server security though, in which case you may as well move
to a host that takes things more seriously.

After years of working with dedicated server companies I found that little
things like this did tend to lead to patterns of bad security, bad backup
systems, bad monitoring, etc.

------
ctb_mg
Looks like more head-in-the-sand security from people who aren't detail
oriented. Yes, your login pages need SSL.

Perceived rarity has nothing to do with it! A password is being transmitted in
_plaintext_.

If forum passwords weren't a target then why are so many website databases a
primary target lately? They steal the crappy, unsalted hashes and emails and
go to town at other services where they are likely to use the same password.

I can't believe we are having this discussion!

~~~
MarkHarmon
"I can't believe we are having this discussion!"

That's how I felt, but that is also what made me want to have a quick check
with others before voicing that kind of opinion. Seems like when I am the most
sure about something, I'm the most vulnerable to making a mistake.

