[aur-general] aur website default ssl

Justin Davis jrcd83 at gmail.com
Thu Oct 28 02:59:52 EDT 2010

On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz <pierre at archlinux.de> wrote:
> On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru <ibiru at archlinux.org>
> wrote:

>> As i said earlier in a reply to Loui, maybe we can do it
>> better.Having https only for login and then redirecting to http is
>> like not having it at all.

This is a ridiculous claim. Maybe we should tell that to amazon,
newegg, and oh I don't know... 99% of websites on the planet? Most
sites use https only for logins and transactions. Publicly available
information like aur comments, aur packages, images, etc don't really
need encryption. Just about everything sent to/from the AUR is not
sensitive information. Except login passwords. I would be pissed off
if amazon had the same point of view. What if amazon decided that
their https for logins and credit cards was the same as not having it
at all and removed it?

> Simply using https for all connections is the easiest and best solution
> imho. Everything in between is either insecure or inconvenient for the
> users. And I also don't see the need for it. Every sane http client
> should handle a http redirect and https. If it does not it's just a bug
> in the client. Of course it is unfortunate that this wasn't tested by
> the clyde author before.

How is sending publicly available information unencrypted insecure? It
does not warrant a need for additional security in the first place. If
someone wants to see what comments you post on a package they go look
at the package's page. They don't have to sniff your traffic. I am
secure in my AUR traffic's triviality.

How is https for logins inconvenient for users? Forwarding between
http and https happens transparently on every major website. Most
people wouldn't know it was happening if it wasn't for the padlock
graphic. Many still don't.

Anyways the problem with clyde is fixed thanks to a (deleted?) comment
by tarfu on the AUR. luasec just needed to be installed. I just
freaked out alittle when I came home and found clyde broken. I still
want to switch it to luacurl and have the code ready.

I know you guys meant well and I probably shouldn't be so negative but
it sort of reminds me of when I saw some kids lock their bikes up to a
short post that I could easily lift the bike over. I disagree with the
principles you have stated but not with your motives.


More information about the aur-general mailing list