

Making Twitter more secure: HTTPS - abraham
http://blog.twitter.com/2011/03/making-twitter-more-secure-https.html

======
lamby
Wait, the check for whether a user always wants to use HTTPS is done after
they login over HTTP?

~~~
abraham
Login is POSTed to a SSL endpoint at which point cookies are set that are SSL
only. Passwords are never sent over a non-SSL request.

~~~
lamby
Thanks.

Although without HTTP STS or similar I could still MITM the landing page.. :)

~~~
abraham
Very true! I hadn't even thought of that.

