On Fri, 5 Aug 2011 19:22:21 -0400, Loui Chang wrote:
If I recall correctly some time after that debate/argument there was a problem with certificates and wget
Wget was broken, yes. But this is fixed by now.
- a problem that was supposedly
impossible. Anyways, the redirect is Really God Damned Annoying. If I ask for HTTP please give me HTTP. If I ask for ssl on top give me that. Please don't employ hacky rules in the web server config.
That is a strange argument. First of all why would you explicitly decide against encryption? And more important: Most users don't decide using to HTTP. This decision is made by links theyy click or their browser when typing in the URL directly.
That redirect is subject to a MITM attack just as well. A user might not even notice that they've been redirected to another site. If you really want to promote security don't even respond to requests on port 80.
This argument is hard to follow. So you say using no encryption will lower the chance of mtm attacks? Not responding on port 80 is a bad idea as browser will try this port first and there are a lot of old links around.
I agree that encryption should be recommended, but not forced.
Maybe forcing is a bad word here. Its more about ensuring security. ATM http is recommend and I bet most users use the AUR unencrypted atm.