[dagrz]

For the scenerio you mentioned, just having the login/comment submissions work over SSL results in zero added security. In short, this is because of tools such as SSL strip.

A better suggestion would be to have the entire site available of SSL only. Good to see HN'ers taking security seriously though :)

[k33l0r]

On Google Chrome you can manually add news.ycombinator.com to the HSTS set via chrome://net-internals/#hsts. This will prevent you from accidentally going to the non-SSL version of the site.

[mcpherrinm]

Not quite zero. SSLstrip requires an active MITM, versus other "listen-only" attacks to snoop credentials off the wire.

[kevinburke]

Agreed, Firesheep demonstrated the problems with sending cookies over HTTP... it's at least a start though.