Listen up, website folks

Mar. 13th, 2009 09:29 am
yendi: (Default)
[personal profile] yendi
If your site's important enough to require a password, it's important enough to use a fucking secure server. As the default, too.

Culprits this morning include Boardgamegeek, Moodle.org, Tor.com, Librarything, Twitter, and LJ itself.
Threaded | Top-Level Comments Only

(no subject)

Date: 2009-03-13 02:28 pm (UTC)
From: [identity profile] asim.livejournal.com
I understand your frustration, yet there are some real issues and costs with using SSL.

The problem is that running SSL sessions have a high cost in CPU time. I've mocked up a certificate and tried it on my personal server, and seen the results -- pretty painful. So I can only imagine what having a server with hundreds of logins a minute would end up like.
Moreover, SSL does stop some types of hacks, which is why some sites need it. I use only HTTPS to login to, and view, gmail, for example. But (so far as I know) the hacks against LJ, for example, of late weren't related to anyone sniffing passwords. Indeed, a quick check shows that the last two major LJ attacks used XSS and "dead" email accounts.

So yes, SSL would be better. It would help mitigate certain attacks. But it won't come close to stopping them. And it will raise the costs on said services and/or reduce their ability to work.

(no subject)

Date: 2009-03-13 02:59 pm (UTC)
yendi: (Default)
From: [personal profile] yendi
*nod* I'm very aware of some of those costs, as we have a bunch of servers at work that require them. And I see all your points about security.

But what really bothers me is that the proliferation of password-required sites in turn means more folks simply use the same password on ten different sites. And if some of those are the same on low-security "fun" sites as on important sites, it sets up bad things.

Yes, it's an example of user error, but it's also one that happens reasonably often.

Passwords pretty much suck.

Date: 2009-03-13 08:21 pm (UTC)
adric: books icon (c) 2004 adric.net (Default)
From: [personal profile] adric
That said, we'd get more milage out of sites having and publishing good security and privacy guidelines and policies and HTTP Digest (rather than Basic auth support) than pushing SSL even more. Digest is much cheaper than full on SSL and appropriate to protect a secret like a login password.

SSL is so additionally expensive in hardware that there are cards sold just to do that. Some manufactures have even put crypto-acceleration into the motherboard chipsets, so hopefully that will be widespread someday.

The other huge problem with SSL adoption is the extortion system that passes for it's trust metrics. Even Bruce Schneier has pointed out that this is not helping anyone (he was yelling at Mozilla for all of the extra hoops in FF 3 to use a non-G8-trusted certificate).

It's a big ol' mess.

Without getting into the SSL vs. not-SSL stuff

Date: 2009-03-13 08:48 pm (UTC)
wednesday: (Default)
From: [personal profile] wednesday
I'm not sure I'd phrase it as "important enough to require a password" -- there are several reasons why one would want at least some form of user authentication on completely inconsequential websites.

(no subject)

Date: 2009-03-24 01:40 am (UTC)
From: [identity profile] dark-blade.livejournal.com
How do you use https on a website that doesn't offer a link? Just type in https:// instead of http:// ?
Threaded | Top-Level Comments Only

Profile

yendi: (Default)
yendi

February 2024

S M T W T F S
    123
45678910
11121314151617
1819 2021222324
2526272829  

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Top of page