Answer by Nick Craver for Why doesn't the Stack Overflow team fix the...
We will be purchasing certificates for the network this week (dev is already in place), but there's still a lot left to do on the move to SSL. If you're curious about the details, you can read a recent...
View ArticleAnswer by goodguys_activate for Why doesn't the Stack Overflow team fix the...
My first guess is that advertising won't support HTTPS therefore making a mixed session and the user having to deal with the browser "do you want to continue" dialogs More information: Google Ads...
View ArticleClik here to view.
Answer by Chris Frederick for Why doesn't the Stack Overflow team fix the...
For what it's worth, Jeff now appears to believe that "maybe encrypted connections should be the default for all web sites." I know that Jeff is leaving Stack Overflow in March 2012, but this post of...
View ArticleAnswer by Kaveh for Why doesn't the Stack Overflow team fix the Firesheep...
May I suggest a compromise? I think that the information which is not available publicly should be served over secure connections. These can include: when a moderator visits a page which is only...
View ArticleAnswer by Adam Davis 'ze-zir-zem' for Why doesn't the Stack Overflow team fix...
Why doesn't the Stack Overflow team fix the Firesheep style cookie theft? Because even the high-rep users have rate limits, so if the accounts are broken into, there's very little damage that can be...
View ArticleAnswer by nealmcb for Why doesn't the Stack Overflow team fix the Firesheep...
I agree that you should fix this right, with TLS/SSL. In the meantime, Ben Adida's proposal/code for "SessionLock Lite" offers an inexpensive interim approach that looks like it at least protects...
View ArticleAnswer by user153246 for Why doesn't the Stack Overflow team fix the...
There are ways to prevent cookie leaks without using SSL and that will add very little load. When session is created, generate a random number (R) and associate it with the session. Pass this number...
View ArticleAnswer by nevan king for Why doesn't the Stack Overflow team fix the...
Here's a setting I made for getting Stack Overflow cookies. Please note that I don't even know how to write "leet" and I made this by just looking at other settings in Firesheep, and asking on Stack...
View ArticleAnswer by Zypher for Why doesn't the Stack Overflow team fix the Firesheep...
I was going to post this as a comment, but ran out of space. For @Kop and @Rook: For a site the size of Stack Overflow/Server Fault/Super User as well as the Stack Exchange network, you CANNOT just...
View ArticleAnswer by Jeff Atwood for Why doesn't the Stack Overflow team fix the...
If you have a "man in the middle" then there are deeper problems, like, you're using a compromised network. We do actually cycle part of the cookie every so often, so if someone has an old cookie of...
View ArticleWhy doesn't the Stack Overflow team fix the Firesheep style cookie theft?
Firesheep sniffs the network looking for session id's and makes it very easy for an attacker to hijack this authenticated session. It should be noted that Firesheep is nothing new ; it just makes this...
View Article
