[rplnt]

Job site without SSL? That's new. Maybe they are just listing the jobs, and linking directly to companies' own postings?

    Email
    First Name
    Last Name
    Upload Resume

Nope.

So, yeah.. no.

[binarycrusader]

Account creation and login pages are also served over HTTP. This site is insecure and should be taken down immediately.

[scrollaway]

It's a failure of the web browsers to work with a site that would let you be so insecure that it "should be taken down immediately".

Also, I appreciate and agree with the mindset that SSL should be ubiquitous and that this site is insecure, but I gotta say, the way you're phrasing this reminds me of the most arrogant, spoiled customers that "demand" whatever pleases them to customer support and take out all their anger on CSRs.

You can share advice without being demanding and arrogant. Try it.

[zero_iq]

Conversely, I find his comment to be perfectly matter-of-fact, whereas I find yours (esp. your last paragraph) comes across as condescending, haughty and (ironically) arrogant.

[scrollaway]

So you think it's OK to demand the shutdown of a site, saying it "should be taken down immediately"?

I wasn't kidding when I said it reminded me of the attitude some of the nastiest people adopt when dealing with CSRs. Completely forgetting the human element and just demanding things all the time. A HN comment has even less of a say in whether a site be taken down.

Humility isn't a sin. How hard can it be to stop at "This site is insecure."?

[binarycrusader]

So you think it's OK to demand the shutdown of a site, saying it "should be taken down immediately"?

If it's potentially exposing the personal information of others, yes. The fact that the above statement values the hypothetical feelings of a person providing the aforementioned site rather than the personal information potentially exposed by anyone using the site suggests that perhaps priorities have not been evaluated properly.

My statement was simple, short, and to the point. No criticism of its author was made nor intended.

[zero_iq]

Considering it should only take a matter of minutes to bring it back up with https using Let's Encrypt, yes. The longer its available without security, the larger the window for trouble.

There is no excuse these days for not protecting your users' data. It should be taken down and secured ASAP.

[binarycrusader]

Engineers have a moral, ethical, and potentially fiscal responsibility to secure the personal data of individuals they are asking for.

It is not demanding or arrogant to require and/or expect secure connections when an organization is requesting personal data.

[d0vs]

You're right, but this is just the HN crowd for you. I wonder how some people here communicate IRL.

[Retra]

Probably with more words, less anonymity, and the direct attention of other participants.

[BinaryIdiot]

Yeah I checked to see if it was simply not redirecting to https and was sad to see the typical cert warning since it tries to use a heroku cert by default (e.g. the developer didn't set one up).

I'm curious if the paying of $199 goes over SSL or not. I would hope so but I didn't want to go through the process to find out.

[chipperyman573]

I just tested it, payment is handled over HTTPS