[tptacek]

I'm torn between the fact that Netcraft wrote a rather large blog post taking Github to task for a simple oversight --- against the fact that there is a pervasive misconception that the HTTP cookie "Secure" flag is not a big deal. The "Secure" flag is a very big deal. You might as well not be SSL without it.

[sh1mmer]

Even if Github's implementation was misconfigured at first the right thing would be to inform them, wait for the fix and _then_ blog about how to do it successfully.

Posting zero day exploits is not big or clever. Github's public transition to SSL should have encouraged people to not use Firesheep to try and snoop on their users' traffic. While a false sense of security doesn't help anyone, this kind of blogging remains more actively destructive than helpful.

[pjhyett]

I don't know the Firesheep guys personally to determine their motivation behind not informing us prior to releasing the extension, but I'm very surprised Netcraft acted this way.

People seem to be jumping on this issue with zero regard for what I think is just common courtesy to site owners.