On the Edge

Readers of this blog have most likely already heard of Firesheep, the Firefox plugin that makes session sidejacking as easy as clicking a toolbar link. While I have yet to plant myself in a coffee shop and steal people’s Twitter and Facebook identities (not that I haven’t been tempted), I have been concerned about securing my own applications against attack. Transforming all web requests to HTTPS simply isn’t performant, but the solution Github has unveiled looks pretty smart:

we’re rolling out the first in a series of measures we have planned to make GitHub more resilient to session hijacking attacks. The basic approach revolves around setting a second cookie (in addition to the normal session cookie) that is marked as secure. Cookies marked secure, are sent only over SSL requests and are omitted on non-SSL requests.

Read more about their solution here.