Hacker News new | comments | show | ask | jobs | submit login

A single "allow invalid certificate" mistake renders the whole thing useless though.

If someone does a man-in-the-middle attack on a clueless user, the user may accept an invalid certificate for your site because they are rushing through to go get one of their passwords. Offline password managers are better at mitigating the non-security-minded user problem.

can you expand on that?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact