On 10/28/10 02:59, Justin Davis wrote:
Pierre, How is sending publicly available information unencrypted insecure?
Some (weak) arguments:
1. net infrastructure in between me and Arch-server can see which specific pages on aur.archlinux.org that I'm loading. And even change data such as PKGBUILDs maliciously, in theory.
2. in places with unencrypted/unencryptable wifi (like my college, for some reason..) my physical neighbors can spy on that information too.
3. "all https" reduces the chances of the website having bugs (security flaws) where it leaves the wrong things unencrypted... and if it has those bugs, it's not like we would notice, because it only affects people who are going out of their way to try and get other people's info.
(It's good for a website to have option of all-https though. So the paranoid among us can use it. Related work: https://www.eff.org/https-everywhere Recent hype: http://codebutler.com/firesheep (about insecurity of logins that persist by means of unencrypted cookie -- I'm not sure, does this affect a partly-http AUR too, if you're logged in?))