undefined | Better HN

Skip to content

Top Best Ask Show New Jobs

0 pointstptacek17y ago0 comments

Could not agree any more strongly about this. You still need to use bcrypt to store passwords, because you will eventually screw up Unicode and SQL on a complicated form somewhere and give up your whole password database. But if you're willing to spend ever a quarter person/day on password auth, there is no economy at all to skipping SSL.

0 comments

5 comments · 1 top-level

stcredzero17y ago· 4 in thread

You can't rely entirely on SSL. You're still vulnerable to man in the middle attacks, among other things.

tptacekOP17y ago

No, the whole point of SSL is that it is not vulnerable to MITM attacks, because the client carries anchor keys.

stcredzero17y ago

If you're connecting to a website that looks the same, but the URL is slightly different, it won't help. What's more, the URL doesn't have to be different for the entire user's session.

gojomo17y ago

Could you explain further what sort of MITM attack you mean for which SSL doesn't help? (Are you assuming users who don't insist on an SSL connection with a recognized domain?)

stcredzero17y ago

DNS poisoning enables a MITM attack even if you're connecting to your safe, legitimate domain.

j / k navigate · click thread line to collapse