Hacker News new | past | comments | ask | show | jobs | submit login
Ask HN: Why doesn't HN use SSL/HTTPS for its login form?
54 points by matthodan on Dec 21, 2010 | hide | past | favorite | 48 comments
Just about everyone I ask tells me that it's best practice to implement SSL/HTTPS for any login page (to protect user passwords), but then I notice that HN doesn't use SSL/HTTPS for login. Am I missing something? Is it risky to use the HN login on public networks?

Sorry in advance if this has been covered before-- I did a quick search and didn't see any recent posts...




It wouldn't be so bad except cookies aren't invalided when you change your password. I changed mine a few days ago, and didn't have to login again on any of my other computers. So once your cookie is sniffed, that person is you forever.


Probably one of these two:

1)HN is a side project for a busy man, and SSL/HTTPS simply isn't very high on the feature list.

2) Arc, the language HN is written in, doesn't support SSL/HTTPS


It should be straightforward to put HN behind an SSL proxy (nginx, apache, stunnel, what-have-you) if the application constructs URLs properly. HN seems to, but in some applications that's a big "if".

I'd be happy to test and supply an nginx 0.8 configuration if that would help.


If you can't do it properly...


It's open source, you could always donate some of your own time to do it properly...


As jbyers said, it should be trivial to stick a webserver which supports SSL in front of the app. Perhaps it would be a good idea to modify the app to add the secure flag to the cookie it sets though.


Why do you care? I've already used Firesheep three times to downvote using your account.

I'll do it with this comment, too.


Cool, so what's your password then? Seeing as it doesn't matter if anyone finds it out...


I only care about your session. You can keep your password, unless I brute-force it from a 37signals webapp.


Ah, so you do care enough to not share your password. So I guess the reason I care about SSL is the same reason you care about SSL.


once you login and the fact that you're logged in is passed around via a cookie, unless the entire interaction with the website is over HTTPS, the session can be hijacked in any wifi coffeehouse, rendering the limited usage of HTTPS mostly pointless.


The point is to prevent your actual password from being sent in the clear. Yes your session could still be hijacked, but most websites will at least require you to re-enter your password (over SSL) to change your key profile attributes or password, meaning the most someone can do with a hijacked session is vandalize the site from your account. If they have your password via sniffing, they can instantly do a whole lot more, especially if you use the same password everywhere, regardless of the merits of doing that.


most websites will at least require you to re-enter your password (over SSL) to change your key profile attributes or password

While that is the case for most sites, HN doesn't require you to enter your current password when changing your password (or any other information for that matter).


I'll probably get slammed for this, but they do accept OpenID. Though that does nothing for session-jacking.


You can hijack it in unprotected WiFi easily (e.g. firesheep), but even if it's protected, an attacker can use ARP poisoning to route all traffic to the attacker, and thus steal the sessions (and firesheep should still work in this case).


Are most/all common WiFi access points vulnerable to ARP poisoning?


ARP poisoning is an inherent problem with the design of IP. There is no real defence against it, on any network that uses IP, regardless of what is running on the link layer (ethernet or any other 802.x protocol)

Just keep it under your hat lest someone put it into a firefox extension.


As far as I know, all networks over a shared medium are vulnerable to ARP poisoning.

So in the old days, that was networks using hubs (instead of switches), these days it's wireless networks.


My understanding of the latest (WPA2) WiFi security is that each client creates a private channel with the access point – so it's totally up to the access point whether to trust, or route, anything any client says. That would suggest resistance to ARP poisoning is possible, at least. But I could be wrong, hence the question.


It's a social news site low risk target for that sort of thing. When it started the aggregate tech level was high enough that pretty much everyone knew to use a different password on each site as a best practice. Now not so much. In any event he was busy and decided that it was a low enough risk for the password to be sent in the clear as the damage that could potentially be caused is low. (a few bunk comments, changing the email address/password, etc....) At least that is what I recall him posting here before when this question came up before.


  > It's a social news site low risk target for that sort of thing.
See also: Gawker.

A different attack, yes, but they're targets too.


The most common argument is that it increases CPU usage on the server, though Google debunked that somewhere.


Gmail as of January, 2010. No additional hardware, 1% CPU overhead:

http://www.imperialviolet.org/2010/06/25/overclocking-ssl.ht...

"If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more."


I believe Steve Gibson said he would "Kick the ass of the next person" that spreads this horrible lie. OK, he didn't say it, but come on, it'd be fun to watch him do it.


I will never understand what peoples' obsession with security for the sake of obsession is. This is a website where I sometimes log in for the purposes of writing snarky comments. I'm not keeping my banking information on here, or any PII (besides my username I guess), or any health records or what have you.

Will someone please explain to me in succinct terms what the purpose for having a super-secure login would be -- that is, what the threat and how SSL will protect against it??


To answer your question: because most people reuse their passwords across websites. I don't care if you can log into my HN account. I do care if you use that same password to log into my Gmail account. You can argue that people shouldn't reuse passwords all you want, that is just reality.


Because many people reveal their real identities here. What if someone started posting malicious stuff from their accounts?

Even you, who only log in to post snarky comments, have posted links to your personal blog and projects.


Speaking as an information security professional, it is a damn good idea to implement SSL/TLS on any login field.

That said, as (mostly) technical people here at HN, we should realize that putting our machines in a position where traffic could be sniffed or altered--that is, on the same public WiFi or subnet as a malicious user--is risky to begin with. DNS and ARP poisoning could redirect any HTTP requests to anywhere else on the Internet whether or not it's trying to initiate an encrypted connection. SSL is an important aspect of security, but can't be relied upon to protect you in a hostile environment.


Same reason you don't secure your front door with an electronic time lock, armed guards and dogs on patrol: it's not that much of a threat.

In the very unlikely event that my HN password gets sniffed, I'll need to change my username or ask for a password reset. Worst case is someone posts a few derogatory comments under my name. I'll survive! The same password is used on a few other sites where the loss to me would be about the same: not a big deal.


A similar analogy, but one with an entirely different outcome could be having a lock on your door or not having one. If you don't have a lock on your door, you'll probably get away with it for a while, but eventually you'll be burgled.


Do burglars wander the streets at night testing doors of random places to see if they're locked? If we put the issue to cars instead of houses, there are a lot of people who would rather have their stereo stolen than have their stereo stolen and window broken. To me most locks are more peace-of-mind security.

I just don't buy that lacking some form of security dooms you to whatever penalties the security may have protected against, if indeed any.


>Do burglars wander the streets at night testing doors of random places to see if they're locked?

Yes. Criminals are oddly enough generally pretty good at cost-benefit analysis. At least in the short term.


FWIW, burglars do sometimes test doors randomly. This is speaking from experience of being almost-burgled while my door was unlocked.


I had my car robbed a few weeks ago, they took a 4 year old GPS and $2 in change.

I still feel wronged (it's a little annoying) but I still don't lock my doors (the amortized cost seems to be about $15/year where I tend to park. It's 99% about the time/money trade-off and 1% about what's morally right.


Comparing implementing SSL/HTTPS to securing your front door with an electronic time lock, armed guards and dogs on patrol is a bit of a stretch. I can do one for pennies on the dollar. The other one is a lot pricier (what with dog food and all).


I am sorry, but these are very poor excuses! If even someone as technology and security aware as you reuses his password on various sites, what are the chances that there will be a few people who are not as aware (but still very interested in entrepreneurship), and they use the same password for banking, email etc? And what's the cost of providing SSL support anyway? Almost nil.

I know people sometimes try too hard to justify PG's actions. But, PG is a big believer in making products and services extremely simple for the users. It is surprising that he would expect users to be careful enough to not use their primary passwords on HN. The only excuse that I can believe is that he simply doesn't have time for it.


and they have HN accounts? Perhaps they will learn from this post, then.


This is exactly my point -- It is bad practice to say, people who don't even know better than using multiple passwords shouldn't even be on our site. Or that they should learn to use multiple passwords. The site should take all the precautions anyway (especially if the precaution is so cheap).


Interesting perspective-- so, when is it appropriate to not offer SSL/HTTPS? Is it generally okay to skip SSL/HTTPS if a site isn't mission critical or financial-focused? I only ask because on Heroku and other platforms, there is a fixed cost to offer SSL (with a custom domain) that over multiple sites could add up.


Securing only the login page with SSL is mostly useless, except for preventing the password being transmitted as plaintext. See: Firesheep.


That's actually the most important reason to use SSL. I'd much rather have my HN account compromised than everything that shares a password with my HN account.


So don't use a password that you use elsewhere. I logged in to HN once. When I signed up. I've never logged in again. I don't even remember what my password here is.


Great advice, but it's not realistic to assume that people will do this.


I'm just wondering, everyone was pissed off with Gawker because it didn't use best practices to secure it's users. Well, you could say it was their duty to do so.

I can't imagine why anyone would break into HN, but if it actually happened, who would be to blame?

Update: Corrected Typo


Obviously it would cost money. Obviously some people want it to happen. Maybe pg could tell us how much it would cost (counting his time at whatever rate he pleases), and we could do a kickstart to raise it?


this place is the watercooler. last I checked, there wasn't an electric fence around the watercooler.


How is https like an electric fence?


pg does not tell us on the register page "Hey, say bye bye to your password!". Password that probably lands on a plain text file too, in clear, super-clear, without hashing...

Arc missing SSL support, HN is a side project, pg-pg-pg-is-a-busy-man, CPU usage, $$... WTF!? You better do it right, or don't do it at all.

When months ago I registered, I used a "serious" password. Then, curious, I took a look at the page source... aargh, no SSL!

Immediately I changed my password with an "offensive" one. And I invite everyone to do the same. Hey pg, hey sniffers, you can read my password, don't you? Go, go, go to read my password!

And as usual, pg fanboys, please be rapid downvoting me.

State of the art and best practices FTW!!!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: