yet they didn't go full https till early 2015 - when do we get to start pointing this shit out? Sidejacking attacks have been around for years (Hamster [1] is from 2007), and the millions of other reasons to do it just keep growing. I feel like at some point you can't say "safety is top priority" just for implementing HTTPS sitewide.
It's just a saying; a platitude like "get well soon", "just be yourself", or "employees must wash hands". Safety (really security in general) is top priority only after you've already knocked out user acquisition, basic short term financial stability, and product stability. As such, by "safety is a top priority", they really mean "safety is a top priority now".
> We identified and mitigated many technical challenges in the discovery process of the migration.
Turning on HTTPS is not a one-step migration.
Turning on CSP has also proven to be very difficult for nearly every site who wishes to turn it on.
Where I work I am dealing with production issue with one of the security features, which by enabling it we observed redirection loop. I am not saying this is an excuse but there are challenges.
yet they didn't go full https till early 2015 - when do we get to start pointing this shit out? Sidejacking attacks have been around for years (Hamster [1] is from 2007), and the millions of other reasons to do it just keep growing. I feel like at some point you can't say "safety is top priority" just for implementing HTTPS sitewide.
[1] http://blog.erratasec.com/2007/08/sidejacking-with-hamster_0...