About six months ago, a certain Firefox extension made headlines by making it incredibly easy for people to intercept insecure web cookies and access private information on major web sites such as Facebook, as well as Pivotal Tracker.
In response, we made session-wide HTTPS enabled by default, but made it possible to disable it on your profile. We also left the option to force HTTPS only access for specific projects.
This partial HTTPS approach required us to use a somewhat complicated secure cookie scheme to prevent secure session hijacking (aka “sidejacking”). While this did close the door to this particular attack vector, it introduced some session instability, especially in Safari, due to intermittent dropping of secure cookies. Also, full HTTPS is generally considered to be more secure.
In next week’s release, Tracker is going all HTTPS. The static front pages will remain non-HTTPS by default, but all internal pages, for example the dashboard and project pages, will now be HTTPS-only. This will make Tracker more secure, and it allows us to remove the extra cookies related to session hijacking prevention, which should help with unintentional browser session expiration.
In addition, we’re improving how the Remember me option works—it will now allow you to stay signed in for two weeks in multiple browsers.
Note: You will continue to be able to use the API via plain HTTP, unless the project you’re accessing has the Use HTTPS option set.