On 10/28/2010 08:59 AM, Justin Davis wrote:
On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitzpierre@archlinux.de wrote:
On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîruibiru@archlinux.org wrote:
As i said earlier in a reply to Loui, maybe we can do it better.Having https only for login and then redirecting to http is like not having it at all.
Ionut, This is a ridiculous claim. Maybe we should tell that to amazon, newegg, and oh I don't know... 99% of websites on the planet? Most sites use https only for logins and transactions. Publicly available information like aur comments, aur packages, images, etc don't really need encryption. Just about everything sent to/from the AUR is not sensitive information. Except login passwords. I would be pissed off if amazon had the same point of view. What if amazon decided that their https for logins and credit cards was the same as not having it at all and removed it?
Your browser sends your session-id with every request. It would be extremely easy to sniff the session-id, configure your browser to use if, and do malicious actions.
This also works if the AUR associates session-ids with the IP of the user: The attacker could use the same NAT-gateway as the user.