It only sends the credentials once when you login, and that's only to HN's https login page. It then only includes HN's regular cookie in the http headers on requests that go to an https page inside HN after you've logged in.