Ask PG: Make the login form available over HTTPS only?
Hi PG,
I noticed news.ycombinator.com supports both SSL and vanilla HTTP. While savvy users probably have been doing this for years, the login form as well as the comment submission pages are available over vanilla HTTP. This means that if I try to log in on a wireless connection and forget to use the SSL link, anyone can sniff my HN username and password by reading the packets sent between my computer and the wireless router. Passing login credentials over HTTPS is a standard industry best practice (passing auth cookies over HTTPS as well is best, as Firesheep demonstrated).
Could you please make the login page available only over SSL? Then I wouldn't have to remember to use the secure link when logging in. Of course all non-logged in visits could continue to use HTTP.
Best, Kevin
36 comments
[ 2.4 ms ] story [ 84.8 ms ] threadA better suggestion would be to have the entire site available of SSL only. Good to see HN'ers taking security seriously though :)
Iran for instance blocked all SSL sites a while back, not sure if this is still the case however..
See http://news.ycombinator.com/item?id=3575029
(To clarify, I'm interested in the general topic of whether it's a good idea to have all-SSL websites.)
One way around this is to use HTTPS-Everywhere with another extension called HTTPS Finder[1] (Firefox only, AFAIK) that tries to load secure versions of any HTTP sites you go to, and writes HTTPS-Everywhere rules for you if it finds one. It asks if you want to add the rule or whitelist the unsecure version.
Fair warning: you'll probably end up being annoyed with it fairly often, and have to whitelist more sites than you expect which have expired or improperly configured SSL versions.
It's more than fine for HN's core audience, but it's not exactly ready for primetime for the average user.
[1] https://addons.mozilla.org/en-US/firefox/addon/https-finder/
The real-time commercial value of a person's actual posts to HN is even less, i.e. any man in the middle who is manipulating HN comments is doing so at the expense of forgoing more profitable opportunities.
The root of the security issue is using open wireless networks, and these are vulnerable to man in the middle exploit even when SSL is used.
Post intelligent comments under my name?
Cost me a few karma points by trolling?
Other than the ability to downvote and change the topline color, it's no different from yours. It's not the karma points which make an HN'ers posts better, it's the relevance of their participation.
To put it another way, if PG emails me directly using the private address, I'll see it eventually. But I will probably see anything sent to the public address more quickly...though again probably not right away.
Just as I don't see security on HN as high importance, for me, emails related to it are not treated as time critical. However, separating them out from my normal inbox makes anything coming from HN stand out.
But regardless of how one slices and dices it, my HN account does not contain sensitive information and the consequences of a security breech of my account are trivial. HN is not Wells Fargo.
After reading the grandparent comment about wanting my karma I changed my password for the first time since joining. But rest assured, the old password demonstrated how low value access to my HN login is.
It's foolish to introduce security where none is required, and even more foolish to introduce the overhead of a security apparatus which doesn't meaningfully increase security.
I'd be willing to bet very few people use truly unique passwords across all their accounts. While personal responsibility is paramount, human nature is what it is, and (again, imo) all sites that require authentication should do it well (over SSL).
Therefore, I doubt that PG would rely on it as a primary means of preventing mischief on HN.
I think this is only a reasonable consideration when the implementation is inconvenient. We're talking about an SSL login on a site that already uses HTTPS. This is not a particularly difficult endeavour.
I'd add that using SSL for the sake of using SSL may give HN'ers a false impression regarding the priority given to securing communications on the news site.
HN does not have a private messaging system (at least at my karma level) and the bottom line is that my communications are being published to the internet at large. It is difficult to see what purpose security serves.
HSTS, as we've seen here recently, cuts down the risk significantly, especially if HN were to submit itself to browser preloaded lists.
Could someone please explain to me how this could happen ? By my understanding, that is exactly the type of attack that SSL was designed to protect against.
Sure, now they can easily sniff my HN password (which I don't use anywhere else) and could abuse it, but I don't give the slightest damn about it. I'd create a new account (though it's not ideal as I'd lose my karma and can't downvote objectionable/trollish comments). My HN profile is probably the least valuable online account I have; I don't care if it gets removed or hacked. It's more annoying for me if I couldn't login at all.
Of course, your use case most certainly differs from mine; which is why I think it's a good idea to show HTTPS login form by default. But please always allow a less-secure but probably more reliable option for logging in when you're creating a login form for non-commercial sites like HN.
If pg spent 2 hours downloading the libraries for and hooking into the API of, say, bcrypt or pbkdf2, that on top of the rest of his authentication code would result in a benefit once the password database has been stolen. There is a man-in-the-middle possibility because HTTP is still a valid login method, though you could argue he can spend less time securing his code against a database breach.
If pg spent 1 hour making SSL the only option for logins, the resulting benefit is that all communication of the password is secure, though you could argue he now has to spend much more time securing his code against a database breach.
Of course, if he spent 3 hours doing both, everything is more secure. But we don't always have time to spend.
It allows anyone who is serious about a secure channel to create one while not advertising the fact that some people might find security necessary on a "news" site. Yes, it's security by obscurity, which of course shouldn't be used as the primary method but it probably reduces the attractive nuisance.
But if PG was going to code something up, he wouldn't advertise the fact, nor his approach. It would instead be along the lines of "Lisp as a secret weapon."
And it certainly wouldn't be something based on "industry best practices."