Pivotal Labs

Main menu

Skip to primary content
Skip to secondary content
  • About
  • Case Studies
  • Team
    • Executives
    • Locations
      • San Francisco (HQ)
      • Boston
      • Boulder
      • Denver
      • London
      • Los Angeles
      • New York
  • Community
    • Blogs
    • Tech Talks
    • Events
  • Careers
    • Lifestyle
    • Principles & Practices
    • Benefits
    • FAQ
    • Apply
  • Contact
    • Press Room
    • Press Releases
    • In The News
    • Press Kit
  • All
  • Labs
  • Standup
  • Tracker

Tracker and session hijacking

Dan Podsedly
Saturday, October 30, 2010

Last week a certain new Firefox extension made headlines by making it trivial to hijack sessions over wireless networks, and easily access unsuspecting users’ accounts on a long list of major social networking and other websites. Pivotal Tracker had the dubious honor of being on that list.

The plugin author’s intent was to raise awareness of the insecure nature of wireless networks, and encourage websites to increase the use of secure (SSL) sessions, which encrypt transmission of data and prevent network sniffing and session hijacking.

Today, most sites use SSL for sign-in, and selected pages that handle sensitive information, but SSL is generally not enabled (or available) site wide. What this means is that after you sign in to Facebook, as soon as you visit any Facebook page that isn’t SSL enabled (for example, your private messages page), your session cookie becomes exposed, and allows a hacker (or just any bored person with Firefox at your local coffee shop) to gain full access to your Facebook account.

The recommended solution is for sites to enable SSL for all pages, from sign-in to sign-out.

As of this morning’s update, this is now the default in Tracker. After signing in, you should notice that every page is served via SSL (https:// prefix in the URL). If you never access Tracker on shared networks, however, and would prefer to turn this off, you can do that on the My Profile page by un-checking the ‘Always Use HTTPS’ option.

In addition, you can enable the ‘Always Use HTTPS’ option for specific projects, which will force SSL for every member of the project who visits the project, even if they’ve disabled the HTTPS option on their profile.

We have also added a secondary secure session cookie to prevent your session from being hijacked if you accidentally end up on a non-HTTPS page while signed in (via a bookmark, for example). This approach is similar to what Github describes in their blog post about the problem and their solution.

Note: As part of this change, we’ve had to remove the ‘remember me’ functionality, so you will have to sign in again after you close your browser. We’ll add a more secure version of this feature back to Tracker in the next update, later this week.

  • 0 Shares
  • Share on Facebook
  • Share on Twitter

Add New Comment Cancel reply

Your email address will not be published.

Dan Podsedly

Dan Podsedly

Dan Podsedly manages Pivotal Tracker, Pivotal Labs’ award winning project management and collaboration software.

Dan has been building large applications since the Smalltalk era, and has been a practitioner and coach of agile programming methods since the earliest days of Extreme Programming. He has led projects in a variety of industries, built a consulting practice from the ground up, and was instrumental in the successful adoption of agile methods at some of the world's largest e-commerce companies.

Dan joined Pivotal in 2004 as Principal, and spent the next four years leading Pivotal’s largest client engagements. In 2008, Dan led the public launch of Pivotal Tracker, originally developed as an internal tool to help Pivotal developers improve their efficiency, and has grown the product into what it is today - a popular, well known force of agile transformation in the software industry used by hundreds of thousands of developers.

Dan's Blog

Recent Posts

  • Monday’s Tracker Outage, New Status Page
  • Browser support in Pivotal Tracker
  • 2013 Tracker Update – New Features, New API, New Design
Subscribe to Dan's Feed

Author Topics

agile (39)
api (4)
productivity (13)
ios (2)
ipad (3)
iphone (1)
meetup (8)
google apps (2)
lean startup (1)
open source (1)
jobs (1)
rails (5)
scrum (1)
nyc (4)
gtd (1)
beer (3)
selenium (1)
  • About
  • Case Studies
  • Team
  • Community
  • Careers
  • Contact
  • Labs
  • Events

Contact Us

contact@pivotallabs.com
+1 415-77-PIVOT
TwitterLinkedInFacebook

Pivotal Tracker

Tracker is the award-winning agile project management tool that enables real-time collaboration around a shared, prioritized backlog.
Visit pivotaltracker.com >