[aur-general] aur website default ssl
Isaac Dupree
ml at isaac.cedarswampstudios.org
Thu Oct 28 03:30:59 EDT 2010
On 10/28/10 02:59, Justin Davis wrote:
> Pierre,
> How is sending publicly available information unencrypted insecure?
Some (weak) arguments:
1. net infrastructure in between me and Arch-server can see which
specific pages on aur.archlinux.org that I'm loading. And even change
data such as PKGBUILDs maliciously, in theory.
2. in places with unencrypted/unencryptable wifi (like my college, for
some reason..) my physical neighbors can spy on that information too.
3. "all https" reduces the chances of the website having bugs (security
flaws) where it leaves the wrong things unencrypted... and if it has
those bugs, it's not like we would notice, because it only affects
people who are going out of their way to try and get other people's info.
(It's good for a website to have option of all-https though. So the
paranoid among us can use it. Related work:
https://www.eff.org/https-everywhere Recent hype:
http://codebutler.com/firesheep (about insecurity of logins that persist
by means of unencrypted cookie -- I'm not sure, does this affect a
partly-http AUR too, if you're logged in?))
-Isaac
More information about the aur-general
mailing list