There are many benefits of this change, but the most immediate benefit is that Sifter is now protected from session hijacking and Firesheep. If you’re interested in an overview of this kind of change, the EFF also has a great article on deploying HTTPS correctly.
SSL Everywhere
The biggest difference is that all accounts are now served over SSL. So, if you’re on the personal plan, you’ll notice that SSL is now included. Just to be thorough, we’re even serving all of the pages on our public site via SSL.
HTTP Strict Transport Security
To better support the new SSL everywhere policy, we’ve also enabled HSTS. The simplest explanation is that our server will let your browser know that it should expect to access Sifter over SSL with every request. Otherwise, if you don’t explicitly include “https://” when you type in a URL, the initial request to the URL will not be secure. Instead the server will redirect you to a secure page. With HSTS, your browser will automatically know to access the site via SSL. HSTS isn’t supported in all browsers, but if you’re using the latest version of Chrome or Firefox, you should be all set.
For those interested in the technical bits, this was a fairly simple change to the Apache headers. Naturally, the change will depend on your server, but from what I can tell, it’s straightforward for other servers as well.
Secure Cookies
Sifter also now uses secure cookies which means that the cookies will not be sent to us unless the connection is over SSL. As a result, we’ve had to rename the cookies in order to invalidate older, insecure cookies. This is the change that led to everyone needing to login again.
Summary
We’re regularly making security improvements to Sifter, and we usually just do it and move on without any announcements, but in this case due to the impact on customers and the breadth of the update, we thought it was worth making a formal announcement. You should expect to see secure connections anytime that you access Sifter regardless of your type of account or whether you’re logged in or on the public site. If you have any questions or concerns or run into any problems, please let us know.