Comment 17 for bug 46591

@mpt Based on a _brief_ reading of that article, it seems the attack will not work against sites that set the https-only bit on cookies. I've been told by Francis that Launchpad does this and just confirmed it by looking at my browser cookies.

But more generally it's true that allowing unencrypted authenticated connections does increase the attack surface.

See also bug 337517 for a smaller version of this bug.