On Sat, Aug 06, 2011 at 11:10:48AM +0200, Pierre Schmitz wrote:
On Sat, 6 Aug 2011 02:29:13 +0200, Lukas Fleischer wrote:
Agreed. I'm still against completely disabling HTTP. We will use HTTPs for all links by default so there shouldn't be any users unintentionally pasting HTTP links anywhere. Malicious links might still be an issue but observant users should be aware of that. And using secure cookies should fix that, anyway.
I didn't tell to disable HTTP. Of course you add a redirect there and you might even add the HSTS header. It's not only about links, also people will just typoe in "aur.archlinux.org" into their browser bar and that will open http by default.
Well, "Redirect all http traffic to https by default" sounded to me like disabling plain HTTP. Perhaps I took this too literally.
Anyway, I see I am talking to walls here. Sometimes I wonder why there is so much resistance against encryption. One would think it was the other way round.
Again, and I'm not going to repeat this... I am not against enabling encryption and I am not against making it the default. All I said is that we shouldn't turn down HTTP.