Hacker News new | past | comments | ask | show | jobs | submit login

The overlay is in a secure iframe (much like a Facebook “Like”). All transaction information never touches hackerbundle.com.

p.s: You can use https://hackerbundle.com if it still concerns you. I just set it up last night.




It isn't secure, even if it is in an iframe, as the href of the iframe could easily be changed with a man in the middle attack. You should force https for the whole site.


Exactly right -- please do redirect to https at a minimum for any payment pages.

The actual risk of a MitM attack is low, but it's certainly feasible; your page would look exactly the same if it were tweaked en-route to use a completely different source for the overlay iframe, and tweaking your page en-route is possible because you're sending it unencrypted.

There's also a web-standards rationale -- all payment pages should be over SSL, because it's one of the few security precautions that non-technical users can reliably verify. Any unencrypted-but-legit payment pages undermine the lesson that payment pages should be SSL-only, when we should be encouraging it.


Why would you do that at minimum.

At minimum, redirect the entire site to https. Why bother with anything less? Https is easy.

http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html


There are valid reasons why a site might find switching to full SSL harder than just fixing payment pages. Use your imagination.

What if they rely on free CloudFlare support for site content? Going full SSL will mean another $20/month of hosting cost.

What if the site in question comprises a thousand HTML pages written on MS Frontpage over 15 years, and most of those pages (if flipped to https) will start showing "insecure content" warnings until they're edited?

By all means, doing more than the minimum will be trivial for some sites, and a good idea for them, but that's not true for everyone.


And this site in question? Yea, thats what I thought. There are exceptions to every rule but this is certainly not one of them.

And really, those aren't exceptions I would call worthy.

CDN / cheap ass issues: you're selling something and running a business, businesses have costs, 20/month aint nothin to secure you're shit.

15 years worth of legacy frontpage you call content: the "insecure content" warnings are probably right regardless of ssl. Further to the point, nobody cares about 15 years worth of shit nobody reads, move it to a different subdomain if its static junk that can't be secured, or I don't know delete it? We'd all be better off without it clogging up the interwebs anyway.

SSL Isn't new, its been around almost two decades, you're making bad excuses for bad people. Stop it. Site wide HTTPS is a good idea for everyone and it is trivial, if its not (in your case), that is your fault and your problem - not mine, and certainly not your users.


I had moved on to talking about sites in general; the site in question would be just fine with site-wide SSL.

For the rest of it -- at some point you're going to have to get used to the idea that the people putting content on the web are a lot more diverse than you'd prefer, and their motivations are also a lot more diverse than you might imagine or think "worthy".

If you want to tell them all "do it right or go die in a fire" that's your prerogative, but it's not the most effective approach.


Got it! Just pushed an update to force https.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: