Allow TLS/SSL encrypted use of LiveJournal (not just logins)

[pne]

Title
Allow TLS/SSL encrypted use of LiveJournal (not just logins)

Short, concise description of the idea
Now that cookie-capturing attacks (e.g. Firesheep) have become easy to use, it would be good to be able to use LiveJournal through an encrypted connection.

Full description of the ideaIt's been possible to log in through an encrypted connection

Comments

[koulagirl666]

I just want to say this is a well-thought out and wonderfully detailed suggestion.

[pauamma]

Yep, definitely needed.

[pne]

Insecure content would be a huge problem in general, not just for ads. Consider images posted by users in their entries. Or, worse yet: userpics are hosted through the (external) Limelight CDN, which might not support SSL (or might charge much more for SSL delivery).

Good point - hadn't thought of those.

[azurelunatic]

Another benefit: less wear and tear on the people expected to deal with incidents of account compromisation.

[imc]

Good point well made.

I seriously doubt this will get done in the near future. :-(  If it is, it's likely to be only on site pages (for reasons including those mentioned above).

You can mitigate the effect of cookie-stealing by setting the "Bind cookie to IP address" option when logging in, which admittedly doesn't work in all circumstances. But as far as I know there is still a years-old bug in ScrapBook which means that it doesn't think you are logged in if you selected this option, so it's useless for managing your pics or even for looking at others' friends-only pics. (Yay for security…)

I think the per-subdomain cookies only give away read access - so there's still a privacy issue but at least not one of malicious damage.