

Ask HN: Why does genius.com a Y Combinator startup not use SSL - ankurpatel

Rap genius or genius.com has received a lot of funding and is doing well in terms of traffic and even at its current level they are not using SSL. What is up with that? I have opened the web inspector and even when logging in they make a plain http request which can reveal the password to any hacker that is sniffing packets.<p>Is there a reason for not using SSL?
======
davismwfl
I can't think of any good reasons not to use it. For the most basic of sites
anyone who is serious and wants to protect consumers does what you can.
Nothing is every 100% perfect, but not using SSL does seem like a pretty basic
miss.

Just a quick glance at their site and I noticed that the forms are posting to
relative paths like /user_session and just do a this.form.submit in the
javascript. I didn't dig in so maybe I am missing something, but it seems
insecure. There were a few scripts loaded via https, but didn't appear to be
the login.

YC or not doesn't matter (at least to me), this is basic stuff that shouldn't
be missed.

Captured from Chrome dev tools on the submit of the login form. Password is
passed in plain text below.
authenticity_token:EqtHVWqGXo0b/yZ/pmFcslTzzyhsjJNwewhEBkRLJ9M=
user_session[login]:test user_session[password]:test
user_session[remember_me]:0 user_session[remember_me]:1 commit:Login

