On Thu, 28 Oct 2010 15:42:31 +0800, Gergely Imreh <imrehg@gmail.com> wrote:
On 28 October 2010 14:59, Justin Davis <jrcd83@gmail.com> wrote:
Pierre, How is sending publicly available information unencrypted insecure? It does not warrant a need for additional security in the first place. If someone wants to see what comments you post on a package they go look at the package's page. They don't have to sniff your traffic. I am secure in my AUR traffic's triviality.
Please correct me if I'm wrong, it's not just about sniffing, it's about hijacking your session. Eg. one could record your logging in, then come back later, and orphan your packages (a "better" bad case), or update it with malicious code (a worse one) while it looks like it was you.... Not saying one would do that, but if we are throwing around hypotheticals...
Cheers, Greg
Yes, https is not only about preventing others from reading the transmitted data. It's also about making sure data was sent from the correct server and hasn't been altered. E.g. nobody has injected some code. Only encrypting the login page does not help much. The session itself has to be send unencrypted and can be hijacked. Only encrypting when one is login makes it unconvinced for users as they always would have add the s to http (or click a link) if visiting a link etc.. As for the server load: that's not true these days. There are some studies from Google when they switched to https and also from my own experience the increased load is not that significant to argue about. In general I think it's a good idea that we now use https for most sites and we shouldn't discuss about if that is sane or not but why are some clients unable to handle it. -- Pierre Schmitz, https://users.archlinux.de/~pierre