We fat fingered the config. The cookie is marked secure now but we found another issue where it's being sent back on redirected HTTP requests. It should be all plugged up in a bit.
I'm torn between the fact that Netcraft wrote a rather large blog post taking Github to task for a simple oversight --- against the fact that there is a pervasive misconception that the HTTP cookie "Secure" flag is not a big deal. The "Secure" flag is a very big deal. You might as well not be SSL without it.
Even if Github's implementation was misconfigured at first the right thing would be to inform them, wait for the fix and _then_ blog about how to do it successfully.
Posting zero day exploits is not big or clever. Github's public transition to SSL should have encouraged people to not use Firesheep to try and snoop on their users' traffic. While a false sense of security doesn't help anyone, this kind of blogging remains more actively destructive than helpful.
I don't know the Firesheep guys personally to determine their motivation behind not informing us prior to releasing the extension, but I'm very surprised Netcraft acted this way.
People seem to be jumping on this issue with zero regard for what I think is just common courtesy to site owners.
They need users to be confident in their ability to run a secure service, especially when company secrets (source code, in this case) are on the line.
Also, their audience is much more likely to pay attention to things like FireSheep. I can just about guarantee that 9/10 Facebook users have never heard of FireSheep and wouldn't even notice if Facebook went 100% SSL tomorrow.
Edit: That said, I totally agree with your comment.
Maybe I shouldn't be so naive, but this whole firesheep release is very shocking to me. Facebook is very insecure, and it is incredibly scary that so many people trust Facebook's privacy and give Facebook so much personal information.
Well part of the reason this is so exploitable is because with Wifi, packets are broadcast through the air for anyone to pick up. With modern switched networks, packets only get routed to the IP they're intended for.
Glad to see GitHub taking extra steps to secure users. Even though the recent scary news brought forth by Firesheep is nothing most relatively tech savy people know, it's definitely going to shake things up. Huge wake up call for many companies and I'm sure we'll start to see more online services provide end-to-end encryption with encrypted cookies as well.
