There’s a hideous irony in Tumblr warning their users to change their passwords in the wake of Heartbleed, when up until recently they didn’t even support HTTPS for anything other than the login page. Transmitting session keys in cleartext cookies after encrypted authentication? Sure!