Yes, tptacek runs a security consultancy. Why are you surprised? He's not wrong that the worst-case scenario isn't that bad, and he's a lot more "practical", for want of a better word, than either e.g. cperciva or me. (cperciva picks his serverside crypto algorithms for side-attack-resilience; tptacek points out that not having buffer overflows is asking too much of most software.)
This is not to say that I agree with him - the worst-case scenario isn't that bad, but setting up SSL is easy and the right thing - but he's not babbling nonsense or anything.
Not surprised. Just trying to verify if he had the subject matter expertise I thought he had or not so I can better understand the discussion. Since I am a member here, security of the site does matter to me as it potentially directly impacts me. But I lack your depth of knowledge of the subject. So the credentials of different speakers matters to my understanding. For someone like me, whether he is being downvoted because he has no clue what he is talking about or for some other reason entirely makes a significant impact on my understanding of the situation.
I am being downvoted for two direct reasons and one indirect one: (1) people universally think it's trivial to enable SSL for HN --- and it is, in the grand scheme of things, for non-hobby non-side projects, and (2) people care about the security of their HN account, even though virtually nobody else does, and so they have little to worry about. Meta-reason: people assume I'm being argumentative for the sake of it; I'm not. SSL is a waste of time for HN.
For what it's worth, I cofounded it, and I'm a principal, but Dave Goldsmith runs it. Working with me is a hazard of joining us, but working for me isn't, so much.
This is not to say that I agree with him - the worst-case scenario isn't that bad, but setting up SSL is easy and the right thing - but he's not babbling nonsense or anything.