←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 8 comments | 27 May 21 10:28 UTC | HN request time: 0.001s | source | bottom
Show context
paxys ◴[27 May 21 15:09 UTC] No.27304033[source]
Having at least authenticated sections of your site use HTTPS was standard well before 2011.
replies(5): >>27304324 #>>27304427 #>>27305411 #>>27307048 #>>27307466 #
1. tl ◴[27 May 21 15:43 UTC] No.27304427[source]
Let's Encrypt started in 2014 to address HTTP overuse.

In 2011, I (in-house corp app dev) was still stuck with HTTP services (behind a firewall, accessible only via VPN).

In 2014, public facing mobile apps using HTTP was prevalent enough to prompt name and shame campaigns. [1] My fuzzy memory suggests some banks were still using HTTP.

[1] https://arstechnica.com/information-technology/2014/08/new-w...

replies(4): >>27304815 #>>27304833 #>>27307101 #>>27307439 #
2. shkkmo ◴[27 May 21 16:19 UTC] No.27304815[source]
I started doing professional web development in 2011. It was very clear at the time that not using HTTPS for any site with a login was an BAD practice that made your users less secure. There were clearly people and institution still using bad practices, but risks were clear to most web developers.

What was shifting at the time was developer views on using HTTPS for non-secure, unauthenticated portions of websites. This is where the "HTTPS Everywhere" plugin and other such movements came in.

replies(1): >>27305019 #
3. benlivengood ◴[27 May 21 16:21 UTC] No.27304833[source]
Bank of America back in 2005 (timestamp from the annoyed email I sent them) refused to load the front page over https. I think it even redirected https attempts back to http. The form submission was over https.

The solution was to enter garbage for the first login since the "re-enter your password" page was served over https. I think they fixed it before 2011, but don't have an exact record of when.

4. pooper ◴[27 May 21 16:36 UTC] No.27305019[source]
From what I remember there was a lot of pushback from infrastructure as we thought using https for the whole website would increase CPU load. Never verified if this was true... but I'm sure someone here should know.
replies(1): >>27305112 #
5. shkkmo ◴[27 May 21 16:45 UTC] No.27305112{3}[source]
Re 2011

Push back on what? There was pushback against HTTPS for non-authenticated pages for various reasons.

That does not mean that HTTPS for authenticated pages was not considered a standard and necessary security measure.

6. birdyrooster ◴[27 May 21 19:28 UTC] No.27307101[source]
Let’s encrypt came way way late to the party. We had been banging the drum for 20 years by then.
7. kaszanka ◴[27 May 21 19:54 UTC] No.27307439[source]
If the pages are only accessible via a VPN, what does HTTPS really get you?
replies(1): >>27308288 #
8. tl ◴[27 May 21 20:47 UTC] No.27308288[source]
Not needing a VPN. rimshot

In all seriousness, better security. You are leaking whatever payload is sent right after VPN drops. An early version of the application had a defect because it did not check response payloads on an endpoint (the code handled errors, but 200 OK was all it needed on success). This is not what you want when the 200 OK is followed by the HTML of a hotel's wi-fi access page.