Login Security on The Verge

I noticed earlier today that the Verge login page defaults to not using SSL (i.e. it is a http:// URL, not an https:// URL for the non-technical).

I emailed them about it and received a link to the below post in response.


Comments for that page are closed so I can't reply there. Unfortunately what I read from the response there is that this is a low priority. I also read some angry sounding posts from people along the lines of "it's not the Verge's problem" and "other sites do it".

Firstly, using SSL for login is a basic in the world of online security. If a site cannot manage this, then it leads to no faith in any other aspect of security. This is a standard practice and easy to implement. Yes, I know what I'm talking about - I work in this field as a senior developer and project manager and am responsible for online services of clients. Just to head off people arguing about whether this is standard practice or not. It is.

The reason the Verge have not enabled this is probably because they have a mess of CSS and JavaScript et al. that is hard-coded to HTTP. If you have a mix of SSL and non-SSL content on a page then sensible browsers (IE and Chrome) will not display unsecure content (the HTTP stuff) on a page that is supposed to be secure (HTTPS). So if you go to the login page in either of these browsers and change the URL protocol to https:// at the start, you'll see a page lacking in styles. So for some reason the Verge have a set-up where they can't just serve those links via SSL. Well they need to fix this because they're putting user security at risk.

Currently, all of the Verge's users are being directed to send their passwords in plaintext. This is irresponsible on a wired network, but if you're currently connecting to the Verge via a wireless network, public *or otherwise*, your computer is broadcasting your username and password to anyone who cares to listen. And listening is easy. And it is done.

This happens because the Verge directs people to broadcast it. Most people don't even know that the Verge website leads them to do this because any responsible site does not. And those people who do know how this works probably haven't noticed because they just take for granted that the website will send them to HTTPS and didn't notice that it didn't.

Finally, yes - this matters. Aside from looking extremely shoddy to any reputable web-developer, aside from being very bad practice, aside from throwing out security for The Verge; many people use the same password for multiple sites. Do you? Then you have to regard that password as compromised as of now, because you've been broadcasting it to every computer nearby each time you log into The Verge.

This needs fixing. I'm making this post because it's a serious failing and the response in the other thread which is locked and I can't reply to, sounds rather dismissive of this.

I'm disappointed by this and quite concerned. Not simply by the error in the first place, but the lack of concern shown when people have contacted The Verge about it. It looks very bad and it is a security risk for your users.

When you put a site together, you don't worry about this stuff at the end, because you never reach the end. There will always be something else you're told to get done first because the importance of security is only shown when it fails. So you build it in at the start. You shouldn't *get* to the point where you are later on trying to sort out HTTP links so that you can switch the login page to HTTPS. You should build the site so that right from the prototype stage you have considered security. If the original design did do this and it was turned off for the sake of sticking in some stylesheets or whathaveyou when they weren't easily obtained in HTTPS, then that was even worse.

Right now, The Verge is putting its users at risk. Eavesdropping on connections isn't hypothetical. It happens frequently. It is happening to some Verge users right now, I can almost guarantee it, given the number of users The Verge has.

Please sort this out. The replies in the locked thread did not reassure.