Last Tuesday, we rolled out a secure cookies for all SSL-protected pages. This meant that all private repositories, user dashboards, all admin settings (even for free users and repositories) were protected against sidejacking attempts. However, any user actions on gists and public repositories (such as issues, wikis, downloads) were still vulnerable.
Last night, we rolled out the next phase from our latest security audit: SSL everywhere. Every hit to the website, whether you’re logged in or not, is over HTTPS with a secure cookie.
This is a big step, but we’re still seeing some resources being served directly from other sites and giving SSL warnings. We’re going to address this issue next. In the meantime your browsers might give warnings that look like this.
Our next step will be to fix these insecure assets that you might see in commit and issue comments. We’re hoping to have the remaining issues fixed over the next few days.