Reply to post:

50c buys you someone else's password for Netflix, Spotify or ...

Marco Fontani

> It's [...] a bit surprising that [...] doesn't have TLS on the login form(s) though

And the point of having TLS on the login form only is… to protect your password? Don't reuse passwords across sites, and if that password gets taken by a drive-by on the unsecured wi-fi while you sip your latte, nothing of value is lost.

Create a password with "pwgen 32 1"; copy, paste, login, forget, "reset password" if you ever need to get in again.

Use lastpass or similar if you need to have stronger "security"; use "pass" if you like the command line and are a gpg nut like myself.

Having TLS _only on the login form_ is pretty damn useless because of the above, and what a website should have is have TLS _everywhere_. If it's only on the login form, then an "attacker" sitting behind you while you sip your latte would not be able to sniff your password, but will be able to sniff the authentication cookie - so they'd still be able to post stuff as you, or change your details on account, etc.

So, we either do it _everywhere_ and _properly_ (see things like "https everywhere" and HSTS) or it's IMHO pretty damn useless, security wise - and not really doing it at all.

Should we just enable TLS on the login form to "tick a box", or should we do it everywhere, and do it right? In general, we try to get things right even if it takes a little while longer - whenever possible.

Kinda like a variation of "fast, good, cheap - pick two". Wherever possible, we pick "right", and "even if it takes longer".

Luckily most ads-serving businesses are able to work and provide ads over TLS, so that's a good chunk of work and worry I'm glad we don't have to think about too much. It took time for the industry to get to that point though.

So… it's a matter for us to sit at our mac, sip our favourite @drinks and get on with it. Unfortunately it's not the only task on our plate, and - as I hope to have explained - it's not the most time-sensitive or important one to be done next.

You could be asking a similar question about enabling IPv6 access - also able to be enabled at the touch of a button. You'd get a similar answer: we need to ensure _all_ our sites, processes, programs, what-have-you can handle it. That'll also arrive Soon® :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022