

Ask HN: Why doesn't HN use SSL/HTTPS for its login form? - matthodan

Just about everyone I ask tells me that it's best practice to implement SSL/HTTPS for any login page (to protect user passwords), but then I notice that HN doesn't use SSL/HTTPS for login.  Am I missing something? Is it risky to use the HN login on public networks?<p>Sorry in advance if this has been covered before-- I did a quick search and didn't see any recent posts...
======
tedunangst
It wouldn't be so bad except cookies aren't invalided when you change your
password. I changed mine a few days ago, and didn't have to login again on any
of my other computers. So once your cookie is sniffed, that person is you
forever.

------
mixmax
Probably one of these two:

1)HN is a side project for a busy man, and SSL/HTTPS simply isn't very high on
the feature list.

2) Arc, the language HN is written in, doesn't support SSL/HTTPS

~~~
burgerbrain
If you can't do it properly...

~~~
nuclear_eclipse
It's open source, you could always donate some of your own time to do it
properly...

~~~
mike-cardwell
As jbyers said, it should be trivial to stick a webserver which supports SSL
in front of the app. Perhaps it would be a good idea to modify the app to add
the secure flag to the cookie it sets though.

~~~
chopsueyar
Why do you care? I've already used Firesheep three times to downvote using
your account.

I'll do it with this comment, too.

~~~
mike-cardwell
Cool, so what's your password then? Seeing as it doesn't matter if anyone
finds it out...

~~~
chopsueyar
I only care about your session. You can keep your password, unless I brute-
force it from a 37signals webapp.

~~~
mike-cardwell
Ah, so you do care enough to not share your password. So I guess the reason I
care about SSL is the same reason you care about SSL.

------
zzzeek
once you login and the fact that you're logged in is passed around via a
cookie, unless the entire interaction with the website is over HTTPS, the
session can be hijacked in any wifi coffeehouse, rendering the limited usage
of HTTPS mostly pointless.

~~~
nuclear_eclipse
The point is to prevent your actual password from being sent in the clear. Yes
your session could still be hijacked, but most websites will at least require
you to re-enter your password (over SSL) to change your key profile attributes
or password, meaning the most someone can do with a hijacked session is
vandalize the site from your account. If they have your password via sniffing,
they can instantly do a _whole lot_ more, especially if you use the same
password everywhere, regardless of the merits of doing that.

~~~
mrduncan
_most websites will at least require you to re-enter your password (over SSL)
to change your key profile attributes or password_

While that is the case for most sites, HN doesn't require you to enter your
current password when changing your password (or any other information for
that matter).

------
weaksauce
It's a social news site low risk target for that sort of thing. When it
started the aggregate tech level was high enough that pretty much everyone
knew to use a different password on each site as a best practice. Now not so
much. In any event he was busy and decided that it was a low enough risk for
the password to be sent in the clear as the damage that could potentially be
caused is low. (a few bunk comments, changing the email address/password,
etc....) At least that is what I recall him posting here before when this
question came up before.

~~~
gcr

      > It's a social news site low risk target for that sort of thing.
    

See also: Gawker.

A different attack, yes, but they're targets too.

------
richbradshaw
The most common argument is that it increases CPU usage on the server, though
Google debunked that somewhere.

~~~
jbyers
Gmail as of January, 2010. No additional hardware, 1% CPU overhead:

[http://www.imperialviolet.org/2010/06/25/overclocking-
ssl.ht...](http://www.imperialviolet.org/2010/06/25/overclocking-ssl.html)

"If you stop reading now you only need to remember one thing: SSL/TLS is not
computationally expensive any more."

------
bradhe
I will never understand what peoples' obsession with security for the sake of
obsession is. This is a website where I sometimes log in for the purposes of
writing snarky comments. I'm not keeping my banking information on here, or
any PII (besides my username I guess), or any health records or what have you.

Will someone please explain to me in succinct terms what the purpose for
having a super-secure login would be -- that is, what the threat and how SSL
will protect against it??

~~~
BlazingFrog
To answer your question: because most people reuse their passwords across
websites. I don't care if you can log into my HN account. I do care if you use
that same password to log into my Gmail account. You can argue that people
shouldn't reuse passwords all you want, that is just reality.

------
david_shaw
Speaking as an information security professional, it is a damn good idea to
implement SSL/TLS on any login field.

That said, as (mostly) technical people here at HN, we should realize that
putting our machines in a position where traffic could be sniffed or altered--
that is, on the same public WiFi or subnet as a malicious user--is risky to
begin with. DNS and ARP poisoning could redirect any HTTP requests to anywhere
else on the Internet whether or not it's trying to initiate an encrypted
connection. SSL is an important aspect of security, but can't be relied upon
to protect you in a hostile environment.

------
HeyLaughingBoy
Same reason you don't secure your front door with an electronic time lock,
armed guards and dogs on patrol: it's not that much of a threat.

In the very unlikely event that my HN password gets sniffed, I'll need to
change my username or ask for a password reset. Worst case is someone posts a
few derogatory comments under my name. I'll survive! The same password is used
on a few other sites where the loss to me would be about the same: not a big
deal.

~~~
mike-cardwell
A similar analogy, but one with an entirely different outcome could be having
a lock on your door or not having one. If you don't have a lock on your door,
you'll probably get away with it for a while, but eventually you'll be
burgled.

~~~
Jach
Do burglars wander the streets at night testing doors of random places to see
if they're locked? If we put the issue to cars instead of houses, there are a
lot of people who would rather have their stereo stolen than have their stereo
stolen and window broken. To me most locks are more peace-of-mind security.

I just don't buy that lacking some form of security dooms you to whatever
penalties the security may have protected against, if indeed any.

~~~
JonnieCache
_> Do burglars wander the streets at night testing doors of random places to
see if they're locked?_

Yes. Criminals are oddly enough generally pretty good at cost-benefit
analysis. At least in the short term.

------
tlrobinson
Securing only the login page with SSL is mostly useless, except for preventing
the password being transmitted as plaintext. See: Firesheep.

~~~
ericd
That's actually the most important reason to use SSL. I'd much rather have my
HN account compromised than everything that shares a password with my HN
account.

~~~
ams6110
So don't use a password that you use elsewhere. I logged in to HN once. When I
signed up. I've never logged in again. I don't even remember what my password
here is.

~~~
ericd
Great advice, but it's not realistic to assume that people will do this.

------
hardik988
I'm just wondering, everyone was pissed off with Gawker because it didn't use
best practices to secure it's users. Well, you could say it was their duty to
do so.

I can't imagine why anyone would break into HN, but if it actually happened,
who would be to blame?

Update: Corrected Typo

------
metageek
Obviously it would cost money. Obviously some people want it to happen. Maybe
pg could tell us how much it would cost (counting his time at whatever rate he
pleases), and we could do a kickstart to raise it?

------
edge17
this place is the watercooler. last I checked, there wasn't an electric fence
around the watercooler.

~~~
wizard_2
How is https like an electric fence?

------
vanni
pg does not tell us on the register page "Hey, say bye bye to your password!".
Password that probably lands on a plain text file too, in clear, super-clear,
without hashing...

Arc missing SSL support, HN is a side project, pg-pg-pg-is-a-busy-man, CPU
usage, $$... WTF!? You better do it right, or don't do it at all.

When months ago I registered, I used a "serious" password. Then, curious, I
took a look at the page source... aargh, no SSL!

Immediately I changed my password with an "offensive" one. And I invite
everyone to do the same. Hey pg, hey sniffers, you can read my password, don't
you? Go, go, go to read my password!

And as usual, pg fanboys, please be rapid downvoting me.

State of the art and best practices FTW!!!

