On Sat, 6 Aug 2011 14:07:34 +0200, Lukas Fleischer wrote:
On Sat, Aug 06, 2011 at 01:40:38PM +0200, Pierre Schmitz wrote:
On Sat, 6 Aug 2011 04:30:09 -0400, Loui Chang wrote:
This is why the redirects are also a charade. If Bob requests http://aur.archlinux.org but is redirected to http://aur.archlinux.frank.org rather than https://aur.archlinux.org he is probably expecting http anyways and may not bat an eye.
HSTS tries to address this issue. At least regular users will be secured by using this.
That is crap. HSTS alone won't fix this at all. If the response to the first HTTP request is already injected, the browser won't even see the HSTS headers at all. As a said before, the certificate itself is the only feature that allows for checking authenticity here.
Neither I nor the HSTS website tells you that this is about securing the first http request. That's why I said this will only secure regular users. Also you should note that this is only a small step to make things a little more secure.
Anyway; this is going nowhere. So if the TUs and AUR users prefer less security somehow there is not much I can do about it. All arguments haven been described so now it's up to you to decide whether to ignore them or not.