←back to thread

Klarna users are being signed in to random accounts

(twitter.com)
475 points danielstocks | 3 comments | 27 May 21 10:28 UTC | HN request time: 0.001s | source
Show context
paxys ◴[27 May 21 15:09 UTC] No.27304033[source]
Having at least authenticated sections of your site use HTTPS was standard well before 2011.
replies(5): >>27304324 #>>27304427 #>>27305411 #>>27307048 #>>27307466 #
tl ◴[27 May 21 15:43 UTC] No.27304427[source]
Let's Encrypt started in 2014 to address HTTP overuse.

In 2011, I (in-house corp app dev) was still stuck with HTTP services (behind a firewall, accessible only via VPN).

In 2014, public facing mobile apps using HTTP was prevalent enough to prompt name and shame campaigns. [1] My fuzzy memory suggests some banks were still using HTTP.

[1] https://arstechnica.com/information-technology/2014/08/new-w...

replies(4): >>27304815 #>>27304833 #>>27307101 #>>27307439 #
1. shkkmo ◴[27 May 21 16:19 UTC] No.27304815[source]
I started doing professional web development in 2011. It was very clear at the time that not using HTTPS for any site with a login was an BAD practice that made your users less secure. There were clearly people and institution still using bad practices, but risks were clear to most web developers.

What was shifting at the time was developer views on using HTTPS for non-secure, unauthenticated portions of websites. This is where the "HTTPS Everywhere" plugin and other such movements came in.

replies(1): >>27305019 #
2. pooper ◴[27 May 21 16:36 UTC] No.27305019[source]
From what I remember there was a lot of pushback from infrastructure as we thought using https for the whole website would increase CPU load. Never verified if this was true... but I'm sure someone here should know.
replies(1): >>27305112 #
3. shkkmo ◴[27 May 21 16:45 UTC] No.27305112[source]
Re 2011

Push back on what? There was pushback against HTTPS for non-authenticated pages for various reasons.

That does not mean that HTTPS for authenticated pages was not considered a standard and necessary security measure.