Hacker Newsnew | comments | show | ask | jobs | submitlogin

Can anyone think of a good reason LinkedIn didn't mark their cookies as HTTPS-only?

http://en.wikipedia.org/wiki/HTTP_cookie#Secure_and_HttpOnly




Because they allow HTTP, which for any sensitive site is a very bad idea. Their setup enables MITM attacks even against users that are careful to always use HTTPS for visiting LinkedIn.

-----


They forgot?

-----


not only are they not marked secure, but a lot of them are set to linkedin.com meaning they are sent with requests to x.linkedin.com.

considering a lot of their subdomains are still hijacked at this point those cookies are being sent to them

-----


I often describe LinkedIn as a bunch of business people, who have a website. It's not a tech company and the hiring reflects that.

-----


Seriously?

http://blog.linkedin.com/2011/01/11/open-source-linkedin-kaf... http://blog.linkedin.com/2009/03/20/project-voldemort-scalin...

-----


I was an engineering intern there for a summer. The interviews were as difficult as any other tech company in the valley, as was the workload. It is most certainly a tech company.

-----


dsl, no offense, but you seem to have a problem with any company that doesn't hire/provide employment to your average local community college CS grad and instead hires globally based purely on merit.

Linkedin interviews are on par with facebook/google et al.

-----


I don't know anything about dsl's commenting history, but this comment sounds elitist. Not sure if you meant it that way, but your point would have been made without the implication that top schools are a requirement to be globally meritorious.

-----


Really, now the sock puppets are coming out?

I hire people purely on technical merit, I don't even bother reviewing educational credentials. I am opposed to abusing the H1-B system rather than opening offices overseas to bring in skilled labor and raise local standards of living.

-----


LinkedIn does have overseas offices.

http://www.buzzom.com/2011/11/linkedin-opens-a-technology-ce...

-----


Opening new offices overseas is obviously not feasible in all cases and scalable.

And I don't think companies like Linkedin, Facebook, Google etc abuse the H1-B system. People there are genuinely smart.

However, there are certain consulting companies like Accenture, Infosys, TCS, Cognizant, various body shops etc that abuse the shit out of it. The govt. should definitely be more proactive in banning these companies and not play to the likes of NASSCOM. Infact, I'd argue that the govt. should come up with a whitelist of companies to grant H1-Bs to.

-----




Applications are open for YC Summer 2015

Guidelines | FAQ | Support | Lists | Bookmarklet | DMCA | Y Combinator | Apply | Contact

Search: