GitHub moves to SSL, but remains Firesheepable (opens in new tab)

(news.netcraft.com)

72 pointsmakuro15y ago14 comments

14 comments

14 comments · 6 top-level

rtomayko15y ago· 2 in thread

We fat fingered the config. The cookie is marked secure now but we found another issue where it's being sent back on redirected HTTP requests. It should be all plugged up in a bit.

rtomayko15y ago

Okay. The session cookie is marked secure and is sent only in response to HTTPS requests. That should cover everything.

percept15y ago

Somebody get this guy some karma.

tptacek15y ago· 2 in thread

I'm torn between the fact that Netcraft wrote a rather large blog post taking Github to task for a simple oversight --- against the fact that there is a pervasive misconception that the HTTP cookie "Secure" flag is not a big deal. The "Secure" flag is a very big deal. You might as well not be SSL without it.

sh1mmer15y ago

Even if Github's implementation was misconfigured at first the right thing would be to inform them, wait for the fix and _then_ blog about how to do it successfully.

Posting zero day exploits is not big or clever. Github's public transition to SSL should have encouraged people to not use Firesheep to try and snoop on their users' traffic. While a false sense of security doesn't help anyone, this kind of blogging remains more actively destructive than helpful.

pjhyett15y ago

I don't know the Firesheep guys personally to determine their motivation behind not informing us prior to releasing the extension, but I'm very surprised Netcraft acted this way.

People seem to be jumping on this issue with zero regard for what I think is just common courtesy to site owners.

colbyolson15y ago· 2 in thread

It's nice to see GitHub jumping to show action in regards to FireSheep and SSL security, and being able to implement something quickly.

I wish other sites were able to follow suit.

mrduncan15y ago

They need users to be confident in their ability to run a secure service, especially when company secrets (source code, in this case) are on the line.

Also, their audience is much more likely to pay attention to things like FireSheep. I can just about guarantee that 9/10 Facebook users have never heard of FireSheep and wouldn't even notice if Facebook went 100% SSL tomorrow.

Edit: That said, I totally agree with your comment.

abraham15y ago

Probably more like 999/1000 Facebook users have never heard of FireSheep.

awesome12315y ago· 2 in thread

Maybe I shouldn't be so naive, but this whole firesheep release is very shocking to me. Facebook is very insecure, and it is incredibly scary that so many people trust Facebook's privacy and give Facebook so much personal information.

Fluxx15y ago

Well part of the reason this is so exploitable is because with Wifi, packets are broadcast through the air for anyone to pick up. With modern switched networks, packets only get routed to the IP they're intended for.

bl4k15y ago

ye dude, 'modern switched networks' can still be sniffed. see arp-flooding etc.

alexknight15y ago

Glad to see GitHub taking extra steps to secure users. Even though the recent scary news brought forth by Firesheep is nothing most relatively tech savy people know, it's definitely going to shake things up. Huge wake up call for many companies and I'm sure we'll start to see more online services provide end-to-end encryption with encrypted cookies as well.

abraham15y ago

And yet all of his Twitter links are non SSL...

j / k navigate · click thread line to collapse

14 comments

14 comments · 6 top-level

rtomayko15y ago· 2 in thread

We fat fingered the config. The cookie is marked secure now but we found another issue where it's being sent back on redirected HTTP requests. It should be all plugged up in a bit.

rtomayko15y ago

Okay. The session cookie is marked secure and is sent only in response to HTTPS requests. That should cover everything.

percept15y ago

Somebody get this guy some karma.

tptacek15y ago· 2 in thread

sh1mmer15y ago

Even if Github's implementation was misconfigured at first the right thing would be to inform them, wait for the fix and _then_ blog about how to do it successfully.

pjhyett15y ago

I don't know the Firesheep guys personally to determine their motivation behind not informing us prior to releasing the extension, but I'm very surprised Netcraft acted this way.

People seem to be jumping on this issue with zero regard for what I think is just common courtesy to site owners.

colbyolson15y ago· 2 in thread

It's nice to see GitHub jumping to show action in regards to FireSheep and SSL security, and being able to implement something quickly.

I wish other sites were able to follow suit.

mrduncan15y ago

They need users to be confident in their ability to run a secure service, especially when company secrets (source code, in this case) are on the line.

Edit: That said, I totally agree with your comment.

abraham15y ago

Probably more like 999/1000 Facebook users have never heard of FireSheep.

awesome12315y ago· 2 in thread

Fluxx15y ago

bl4k15y ago

ye dude, 'modern switched networks' can still be sniffed. see arp-flooding etc.

alexknight15y ago

abraham15y ago

And yet all of his Twitter links are non SSL...

j / k navigate · click thread line to collapse