Hi Jeff, Great post, thanks for clearly thinking this through and you no doubt understand most of the problem and what's happening to make it all possible. Regarding your stance that Stack Overflow should not be SSL to protect the auth cookie, if there were some mechanism to somehow lock a browsing user to their session such that it couldn't be stolen/replayed/whatever by a passive attacker, what about active attacks? What about Man in the Middle attacks, where someone injects JS in to your page and performs actions as you by those means? This could happen on the local network, at your ISP, or by your government depending on what your personal threat model is. For protection against that, you need integrity and authentication, two things that SSL does very well. Add in privacy with symmetric crypto essentially for free (really, because you'd already be doing public-key operations to get authentication, and SSL/TLS session resumption make this quite fast after those operations are finished initially) - why not go with SSL for this? Obviously I'm using Stack Overflow as an example here, not to poke and troll at you - I trust you can think about this idea as it applies to many other sites. Do you have any thoughts on Google's SPDY (http://dev.chromium.org/spdy)? It stands to fix a lot of the problems with HTTP and streamline things. The security model there appears to just default to having everything be in an SSL channel, vs an option. Thanks! Ian Gallagher Firesheep co-dev/co-presenter