On Sat, 6 Aug 2011 04:30:09 -0400, Loui Chang wrote:
This is why the redirects are also a charade. If Bob requests http://aur.archlinux.org but is redirected to http://aur.archlinux.frank.org rather than https://aur.archlinux.org he is probably expecting http anyways and may not bat an eye.
HSTS tries to address this issue. At least regular users will be secured by using this.