[tptacek]

I addressed this point in another comment. Briefly: my advice regarding that fact would not be to improve HN's security; it would be to get the YC functionality off HN, stat. HN is way more a target than YC's stuff ever will be. Most of the people who will take a run at this site don't even know what YC is.

[jackowayed]

Ok, that would work too. But I'd guess that there's significant barriers to doing that (ie. it would take a lot of work to make it happen).

Plus it's never optimal, even for a bs written-in-a-weekend app, to send passwords in the clear, given how many people use the same password on multiple sites. And even though HN isn't that important, we'd certainly prefer to avoid the headache that would result from someone getting a mod's account, banning a bunch of high-karma people, deleting a ton of stuff, etc.

So SSL is a good solution because a) It could be deployed today. b) It's preferable anyway. But I agree that if they decoupled HN from all the other YC stuff, I'd be a lot less concerned.