Hacker News new | past | comments | ask | show | jobs | submit login

Thanks for posting this. It convinced me to upgrade SSL support from "something that would be nice to implement if I was bored someday" (BCC is not exactly security critical -- except, on reflection, the admin pages) to "drop everything and get it done."

You're saying that the BCC server doesn't have even a self-signed SSL cert installed? Or something else?

I had a SSL certificate for a while, but actually using it throughout the site without showing users Big Scary Error Messages is not quite trivial. The activation energy for digging through several hours of edge cases was lacking... until today. ("Whoops, while you don't know you're doing it, you pull an unnecessary CSS file into the cached CSS for the registration page which references a background image on an absolute http:// URL. Your registration page now throws an error on IE. You lose." "You have approximately 150 images on the site linked as handcoded img tags rather than through Rails' image_tag helper, because when you were a Rails newbie you did not know that existed. You now get to rewrite all of them so that they can use SSL asset caching magic." etc, etc)

I've seen some sites which figure out a way to force the user in and out of SSL for certain URLs. You might be able to implement a fix which forces SSL for the admin section and non-SSL for everything else.

That doesn't help, because my all-powerful admin session is as secure as the least secure page I access (or can be made to access) while on a compromised network.

Doh. Of course. It's all on the same domain. Do you think, that if designing a new application, it would make sense to make a separate admin sub-domain (assuming no wildcard cookies)?

Does the solution entail purchasing legit ssl certs for your static content domains?

Er, can’t you just specify that the session cookie is only sent over HTTPS?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact