[aur-general] aur website default ssl

[Kaiting Chen]

>
> Ionut,
> This is a ridiculous claim. Maybe we should tell that to amazon,
> newegg, and oh I don't know... 99% of websites on the planet? Most
> sites use https only for logins and transactions. Publicly available
> information like aur comments, aur packages, images, etc don't really
> need encryption. Just about everything sent to/from the AUR is not
> sensitive information. Except login passwords. I would be pissed off
> if amazon had the same point of view. What if amazon decided that
> their https for logins and credit cards was the same as not having it
> at all and removed it?
>
> > Simply using https for all connections is the easiest and best solution
> > imho. Everything in between is either insecure or inconvenient for the
> > users. And I also don't see the need for it. Every sane http client
> > should handle a http redirect and https. If it does not it's just a bug
> > in the client. Of course it is unfortunate that this wasn't tested by
> > the clyde author before.
>
> Pierre,
> How is sending publicly available information unencrypted insecure? It
> does not warrant a need for additional security in the first place. If
> someone wants to see what comments you post on a package they go look
> at the package's page. They don't have to sniff your traffic. I am
> secure in my AUR traffic's triviality.
>
> How is https for logins inconvenient for users? Forwarding between
> http and https happens transparently on every major website. Most
> people wouldn't know it was happening if it wasn't for the padlock
> graphic. Many still don't.


True story; and a lot of server resources would be saved by not having to
encrypt information that doesn't need to be encrypted.

-- 
Kiwis and Limes: http://kaitocracy.blogspot.com/