Hacker News new | comments | show | ask | jobs | submit login

Only half the points are valid. SSL is a selling point, because it takes a lot of work to setup completely. Lots of websites (including high-profile ones like Outlook.com) have mixed content errors at one place or another, or appear to but don't fully support SSL. The fact that they "used to" use it as a selling point says enough too.

SSL signin should not be enforced. HTTP should give a big warning, but SSL is not fully supported in all clients.

Are there clients which support evernote but would not support SSL?

If not fully supporting https counts, then Windows XP is one. That still has a rather big market share.

No. I consider properly setting up SSL to be a duty of care for the website owner. Your argument could apply to storing passwords in plaintext because "hashing is hard," or doctors refusing to wash their hands between patients because "it takes too much time" -- it's just not a corner that professionals should cut anymore.

Uh, if a selling point of theirs was "we hash your password", I would find that a good thing. I'm not saying it's not a duty for the website owner.

Ah, thanks for clarifying. I interpreted "selling point" as "you pay extra for this."

SSL is easy to do if you

1. force it on your servers

2. only include content from your servers

It becomes almost impossible to mix insecure content at this point.

Is it also easy with hundreds or thousands of servers around the world? Perhaps it's not particularly hard, but it's also not something that's thought through and implemented overnight.

If you trust your data center security it should be easy to deploy a single certificate to all production webservers. Much easier than doing the actual site configuration.

There are a lot of hard things to do when scaling, SSL isn't in the hard class.

What wouldn't support SSL? I can't think of a single product.

Windows XP with any Internet Explorer (even 8) and Safari don't support SNI. You need to use more expensive certificates or get an unique IPv4 address in order to support https there.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact