Most active commenters
  • shkkmo(4)

←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 19 comments | 27 May 21 10:28 UTC | HN request time: 0.517s | source | bottom
1. paxys ◴[27 May 21 15:09 UTC] No.27304033[source]
Having at least authenticated sections of your site use HTTPS was standard well before 2011.
replies(5): >>27304324 #>>27304427 #>>27305411 #>>27307048 #>>27307466 #
2. oxplot ◴[27 May 21 15:35 UTC] No.27304324[source]
That only protects the user's password. The auth cookie will be sent in all subsequent requests in plain text.

EDIT: that's how firesheep (https://en.wikipedia.org/wiki/Firesheep) hijacked sessions for e.g.

replies(1): >>27304417 #
3. nly ◴[27 May 21 15:43 UTC] No.27304417[source]
That's not true. Cookies can have a 'secure' attribute which tells the browser to send them only over TLS
replies(3): >>27304684 #>>27304721 #>>27304916 #
4. tl ◴[27 May 21 15:43 UTC] No.27304427[source]
Let's Encrypt started in 2014 to address HTTP overuse.

In 2011, I (in-house corp app dev) was still stuck with HTTP services (behind a firewall, accessible only via VPN).

In 2014, public facing mobile apps using HTTP was prevalent enough to prompt name and shame campaigns. [1] My fuzzy memory suggests some banks were still using HTTP.

[1] https://arstechnica.com/information-technology/2014/08/new-w...

replies(4): >>27304815 #>>27304833 #>>27307101 #>>27307439 #
5. eli ◴[27 May 21 16:08 UTC] No.27304684{3}[source]
in 2011?
replies(1): >>27304902 #
6. chc ◴[27 May 21 16:12 UTC] No.27304721{3}[source]
But that just makes your login not work if the rest of your site is HTTP, doesn't it?
replies(1): >>27304915 #
7. shkkmo ◴[27 May 21 16:19 UTC] No.27304815[source]
I started doing professional web development in 2011. It was very clear at the time that not using HTTPS for any site with a login was an BAD practice that made your users less secure. There were clearly people and institution still using bad practices, but risks were clear to most web developers.

What was shifting at the time was developer views on using HTTPS for non-secure, unauthenticated portions of websites. This is where the "HTTPS Everywhere" plugin and other such movements came in.

replies(1): >>27305019 #
8. benlivengood ◴[27 May 21 16:21 UTC] No.27304833[source]
Bank of America back in 2005 (timestamp from the annoyed email I sent them) refused to load the front page over https. I think it even redirected https attempts back to http. The form submission was over https.

The solution was to enter garbage for the first login since the "re-enter your password" page was served over https. I think they fixed it before 2011, but don't have an exact record of when.

9. shkkmo ◴[27 May 21 16:26 UTC] No.27304902{4}[source]
Yes
10. shkkmo ◴[27 May 21 16:27 UTC] No.27304915{4}[source]
You should not show authenticated pages without HTTPS
11. oxplot ◴[27 May 21 16:27 UTC] No.27304916{3}[source]
A secure cookie would be of no use for a site whose only secure page is the login page, which is what the parent post I replied to was talking about.
12. pooper ◴[27 May 21 16:36 UTC] No.27305019{3}[source]
From what I remember there was a lot of pushback from infrastructure as we thought using https for the whole website would increase CPU load. Never verified if this was true... but I'm sure someone here should know.
replies(1): >>27305112 #
13. shkkmo ◴[27 May 21 16:45 UTC] No.27305112{4}[source]
Re 2011

Push back on what? There was pushback against HTTPS for non-authenticated pages for various reasons.

That does not mean that HTTPS for authenticated pages was not considered a standard and necessary security measure.

14. the_duke ◴[27 May 21 17:11 UTC] No.27305411[source]
Only for certain domains and in certain regions.

A lot of the web was still on http, including some banks.

Even Facebook was still primarliy http when Firesheep [1] came out in 2010.

[1] https://en.wikipedia.org/wiki/Firesheep

15. birdyrooster ◴[27 May 21 19:24 UTC] No.27307048[source]
Not sure why you are being downvoted but this is exactly correct. We had, as an industry, been so focused on PCI during this time and TLS was and continues to be the most important aspect of the protective technology. SSL/TLS had already made e-commerce viable in the 90s and its power was well known and being applied for the decade following. Being in 2011 without full ssl for authenticated access was quite bad behavior indeed. Maybe excusable for some low rent bulletin board, but perhaps that is what the commenter was operating. I have no clue.
16. birdyrooster ◴[27 May 21 19:28 UTC] No.27307101[source]
Let’s encrypt came way way late to the party. We had been banging the drum for 20 years by then.
17. kaszanka ◴[27 May 21 19:54 UTC] No.27307439[source]
If the pages are only accessible via a VPN, what does HTTPS really get you?
replies(1): >>27308288 #
18. dang ◴[27 May 21 19:57 UTC] No.27307466[source]
We detached this subthread from https://news.ycombinator.com/item?id=27303744.
19. tl ◴[27 May 21 20:47 UTC] No.27308288{3}[source]
Not needing a VPN. rimshot

In all seriousness, better security. You are leaking whatever payload is sent right after VPN drops. An early version of the application had a defect because it did not check response payloads on an endpoint (the code handled errors, but 200 OK was all it needed on success). This is not what you want when the 200 OK is followed by the HTML of a hotel's wi-fi access page.