[aur-general] aur website default ssl

Isaac Dupree ml at isaac.cedarswampstudios.org
Thu Oct 28 03:30:59 EDT 2010

On 10/28/10 02:59, Justin Davis wrote:
> Pierre,
> How is sending publicly available information unencrypted insecure?

Some (weak) arguments:

1. net infrastructure in between me and Arch-server can see which 
specific pages on aur.archlinux.org that I'm loading.  And even change 
data such as PKGBUILDs maliciously, in theory.

2. in places with unencrypted/unencryptable wifi (like my college, for 
some reason..) my physical neighbors can spy on that information too.

3. "all https" reduces the chances of the website having bugs (security 
flaws) where it leaves the wrong things unencrypted... and if it has 
those bugs, it's not like we would notice, because it only affects 
people who are going out of their way to try and get other people's info.

(It's good for a website to have option of all-https though.  So the 
paranoid among us can use it.  Related work: 
https://www.eff.org/https-everywhere  Recent hype: 
http://codebutler.com/firesheep (about insecurity of logins that persist 
by means of unencrypted cookie -- I'm not sure, does this affect a 
partly-http AUR too, if you're logged in?))


More information about the aur-general mailing list