

GitHub moves to SSL, but remains Firesheepable - makuro
http://news.netcraft.com/archives/2010/11/03/github-moves-to-ssl-but-remains-firesheepable.html

======
rtomayko
We fat fingered the config. The cookie is marked secure now but we found
another issue where it's being sent back on redirected HTTP requests. It
should be all plugged up in a bit.

~~~
rtomayko
Okay. The session cookie is marked secure and is sent only in response to
HTTPS requests. That should cover everything.

~~~
percept
Somebody get this guy some karma.

------
tptacek
I'm torn between the fact that Netcraft wrote a rather large blog post taking
Github to task for a simple oversight --- against the fact that there is a
pervasive misconception that the HTTP cookie "Secure" flag is not a big deal.
The "Secure" flag is a very big deal. You might as well not be SSL without it.

~~~
sh1mmer
Even if Github's implementation was misconfigured at first the right thing
would be to inform them, wait for the fix and _then_ blog about how to do it
successfully.

Posting zero day exploits is not big or clever. Github's public transition to
SSL should have encouraged people to not use Firesheep to try and snoop on
their users' traffic. While a false sense of security doesn't help anyone,
this kind of blogging remains more actively destructive than helpful.

~~~
pjhyett
I don't know the Firesheep guys personally to determine their motivation
behind not informing us prior to releasing the extension, but I'm very
surprised Netcraft acted this way.

People seem to be jumping on this issue with zero regard for what I think is
just common courtesy to site owners.

------
colbyolson
It's nice to see GitHub jumping to show action in regards to FireSheep and SSL
security, and being able to implement something quickly.

I wish other sites were able to follow suit.

~~~
mrduncan
They need users to be confident in their ability to run a secure service,
especially when company secrets (source code, in this case) are on the line.

Also, their audience is much more likely to pay attention to things like
FireSheep. I can just about guarantee that 9/10 Facebook users have never
heard of FireSheep and wouldn't even notice if Facebook went 100% SSL
tomorrow.

Edit: That said, I totally agree with your comment.

~~~
abraham
Probably more like 999/1000 Facebook users have never heard of FireSheep.

------
awesome123
Maybe I shouldn't be so naive, but this whole firesheep release is very
shocking to me. Facebook is very insecure, and it is incredibly scary that so
many people trust Facebook's privacy and give Facebook so much personal
information.

~~~
Fluxx
Well part of the reason this is so exploitable is because with Wifi, packets
are broadcast through the air for anyone to pick up. With modern switched
networks, packets only get routed to the IP they're intended for.

~~~
bl4k
ye dude, 'modern switched networks' can still be sniffed. see arp-flooding
etc.

------
alexknight
Glad to see GitHub taking extra steps to secure users. Even though the recent
scary news brought forth by Firesheep is nothing most relatively tech savy
people know, it's definitely going to shake things up. Huge wake up call for
many companies and I'm sure we'll start to see more online services provide
end-to-end encryption with encrypted cookies as well.

------
abraham
And yet all of his Twitter links are non SSL...

