(twitter.com)

475 points danielstocks | 1 comments | 27 May 21 10:28 UTC | HN request time: 0.203s | source

Show context

paxys ◴[27 May 21 15:09 UTC] No.27304033[source]▶

>>27301219 (OP) #

Having at least authenticated sections of your site use HTTPS was standard well before 2011.

replies(5): >>27304324 #>>27304427 #>>27305411 #>>27307048 #>>27307466 #

tl ◴[27 May 21 15:43 UTC] No.27304427[source]▶

>>27304033 #

Let's Encrypt started in 2014 to address HTTP overuse.

In 2011, I (in-house corp app dev) was still stuck with HTTP services (behind a firewall, accessible only via VPN).

In 2014, public facing mobile apps using HTTP was prevalent enough to prompt name and shame campaigns. [1] My fuzzy memory suggests some banks were still using HTTP.

[1] https://arstechnica.com/information-technology/2014/08/new-w...

replies(4): >>27304815 #>>27304833 #>>27307101 #>>27307439 #

1. benlivengood ◴[27 May 21 16:21 UTC] No.27304833[source]▶

>>27304427 #

Bank of America back in 2005 (timestamp from the annoyed email I sent them) refused to load the front page over https. I think it even redirected https attempts back to http. The form submission was over https.

The solution was to enter garbage for the first login since the "re-enter your password" page was served over https. I think they fixed it before 2011, but don't have an exact record of when.

↑

Klarna users are being signed in to random accounts