GitHub Goes HTTPS Only

  GitHub enables HTTPS by default
GitHub, one of the largest code hosting repositories and collaborative development platforms in the world, started to enforce HTTPS, as the default and only method of accessing the website.

GitHub, one of the largest code hosting repositories and collaborative development platforms in the world, started to enforce HTTPS, as the default and only method of accessing the website.

HTTPS (HTTP Secure) is a combination of the Hypertext Transfer Protocol and the SSL/TLS protocol and is used to encrypt communications between Web servers and clients.

The technology is currently used by many online services to protect usernames and passwords during the authentication process, but full-session HTTPS has not seen wide adoption beyond e-commerce and online banking sites.

One of the major issues stemming from with the lack of full HTTPS support, is that attackers can easily sniff network traffic, especially wireless one, and intercept session cookies.

Session cookies are small text files created by websites inside browser in order to remember logged in users.

Unfortunately, these unique identifiers are passed along every time the browser tries to access a protected resource on a website where the user is authenticated.

Hackers can intercept the HTTP requests, extract the session cookies and use them to freely access the accounts of the victims.

This type of attack, called session hijacking, has been known for over a decade, but used to require a certain amount of technical knowledge to pull off.

That changed recently when a programmer released a Firefox extension called FireSheep, which makes such attacks accessible to virtually anyone.

In a week, FireSheep was downloaded over 500,000 times and has attracted a lot of attention from the media, users and webmasters alike.

It looks like GitHub was one of the companies that listened. "GitHub is now SSL only. For security reasons, you'll have to log in again though," the service's maintainers announced on Twitter.

"There will be SSL mixed-content warnings for a bit while we deal with some caching and other issues," they advised in a later tweet.

The change will not affect git pulls, which will continue to be performed over HTTP, because they don't require session cookies.

Comments