Is Stack Overflow “secure”? Kind of…

added by troyhunt
8/6/2012 11:36:50 PM

9 Kicks, 463 Views

I had an interesting question pop up on my “SSL is not about encryption” blog post this weekend: "I have a question about logging to site like StackOverflow which doesn't use SSL at all. If I am login to SO via Google. Is this secure in this case?" This is actually a very good question for a number of reasons so I thought it deserved a little more attention than just the short response I gave on the blog. The question implies there is some sort of absolute state to security (probably unintentionally) where a site such as Stack Overflow is deemed to be either “secure” or “insecure” (hence the quotes in the title). The reality is that there are a few more twists to it than that and Stack Overflow in particular is an interesting case study due to their use of a third party authentication provider. What this blog post will show you is that in this particular case, we’re really looking at two different security domains with different levels of protection and in the case of Stack Overflow, yes, it’s kind of secure – but then it’s also kind of insecure too…


8/7/2012 8:04:04 AM
I know that Stackoverflow has always prided itself on how many users it can serve with a limited amount of hardware, I wonder if this stems from that? It does take more resources to enforce SSL over every connection, so perhaps they're concerned about traffic?

8/7/2012 5:45:55 PM
As per the post, Google seems to think that resource overhead is negligible. I suspect the barriers for SO would be more about the mechanisms they're using for caching and the impact on CDN partners. Certainly there are some issues to overcome and they do compound at scale.