Ask HN: Why doesn't Hacker News use HTTPS exclusively?

2 points by dewitt ↗ HN
I'm sitting in SF Superior Courthouse, waiting to see if I'll be selected for jury duty, using a public, open wifi network. I can proxy the connection through a VPN for security of course, but I'm wondering why Hacker News, which already supports SSL/TLS (I'm hitting the HTTPS endpoint right now), doesn't use it exclusively. Even some popular sites that operate at large scale (such as Google) are increasingly accepting SSL connections only for many of their products these days.

Would the admins of Hacker News consider making such a switch?

4 comments

[ 987 ms ] story [ 32.9 ms ] thread
If you care to do this on as many sites as possible, use HTTPS Everywhere:

https://www.eff.org/https-everywhere/

As far as an argument for not switching to HTTPS, HN is one of the very few webs sites that loads up almost immediately on very bandwidth constrained/high latency links in my experience.

HTTPS seems to add additional overhead, where loading these same pages can time out or take forever to load.

HN is one of the very few webs sites that loads up almost immediately on very bandwidth constrained/high latency links in my experience.

I have the opposite experience - HN pages sometimes take more than 30 seconds to load, though this is likely due to waiting for DNS - once the page loads, the entire page loads quickly. No matter if it's the high-speed connection to the laptop at work, PC at home, wifi to phone at friends' house, 1-bar 3g connection, etc.

Thanks for the link to HTTPS Everywhere. I recall reading about it at launch, but wanted to understand it better before installing. IIRC, it uses an explicit whitelist of URLs that redirect from http to their secure equivalent, which gave me pause, as it would seemingly be (theoretically) possible for a malicious party to compromise the whitelist and hijack the redirects. I could be wrong about the technique of course; I just wanted to wait until I investigated the approach first.

Regarding latency, there are many sites, such as www.google.com itself, that achieve low latencies even over SSL. Given the lightweight nature of HN, I imagine it is at least worth the experiment. I'm using https://news.ycombinator.com myself right now, and the latency, if any, isn't noticeable. For me anyway.

Thanks again for the pointer to HTTPS Everywhere.

There's nothing secret here, no private messages or personal data (email and password aside). Until censorship is a worry HN is in the later groups of websites to need https, followed by those with no login and no logging.