Hacker News new | past | comments | ask | show | jobs | submit login

Many websites post the forms to encrypted sites. Facebook and others do this-I haven't looked into hacker news or reddit.



It doesn't look like reddit or hacker news do.

reddit:

     <form method="post" id="login_login-main" action="http://www.reddit.com/post/login" onsubmit="return post_user(this, 'login');" class="login-form-side">
HN:

     <form method="post" action="/y">


...but reddit's only 91 lines of lisp, what did you expect?


This doesn't do any good because the page that contains the form can be transparently altered to post somewhere else by a man in the middle.


Saying that it doesn't do any good might be a bit strong - it's still vulnerable, but much less so than straight-up POSTing over an unencrypted channel.


You're right in the general case, but in the API case it doesn't matter how the form is rendered because API clients don't parse forms.


Thanks to OpenID I don't have to worry about some of that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: