[VladRussian]

that dovetails nicely with other posts today on HN about how one can be a great programmer without knowing and understanding the systems fundamentals (ie. C, low level networking...) . Such programmers and their companies are fast in building cute web apps, yet fail to understand/model and as result correctly engineer what happens outside of the web app box supplied by the framework (for example like in this case, how it looks on the wire at transport and application layers)

[tptacek]

It's a near certainty that Facebook knew, understood, and accepted this vulnerability, since it's as old as the hills and Facebook employs and works with many smart web security people.

[VladRussian]

>with many smart web security people

that is exactly my point. "Web security" being treated as a separate area where only specific people specialize instead of being treated as a basic fundamental prerequisite for a web developer.

[tptacek]

I'm not following. I'm saying: Facebook certainly knew that if you logged in via a public wireless network that your session cookie could be stolen. They accepted the risk, like many, many other companies do. What do the fundamentals of web dev have to do with this?

[retube]

But it's not exactly low level though. I mean, any web developer is surely constantly exposed to this in their day-2-day work - e.g just from using HttpFox. How can you build a web site and not know how a session is managed over HTTP?

[redthrowaway]

Joomla. I have a photographer friend who makes websites on the side and she doesn't have a clue how any of it works under the hood.