On Fri, 5 Aug 2011 23:54:57 +0200, Lukas Fleischer wrote:
We won't do that. HTTPs will be the default but we won't force users to use HTTPs. If you decide to use HTTP intentionally, we won't prevent you from doing so. HTTPs implies an unnecessary overhead and there's no point in forcing everybody to use HTTPs even if one doesn't even have an AUR account.
Seriously the overhead is negligible, on client as on sever side. Even for those who don't have an AUR account, https would prevent anybody else injecting code. But those wont matter anyway because securing those who have an account should be priority. At least ensure that cookies are never sent unencrypted.
That is kind of fixed in Git (again, check [1], [2], [3] and [4]).
[1] http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57 [2] http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19 [3] http://projects.archlinux.org/aur.git/commit/?id=973e4f85 [4] http://projects.archlinux.org/aur.git/commit/?id=89721137
None of these patches fixes the issue that session data will still be send unencrypted. This is a real world issue; even if you login using https it wont be unlikely that you later will visit the site unencrypted (by clicking on a link or some resource you forgot to send via https). Greetings, Pierre -- Pierre Schmitz, https://users.archlinux.de/~pierre