[aur-general] aur website default ssl

Pierre Schmitz pierre at archlinux.de
Thu Oct 28 03:56:27 EDT 2010


On Thu, 28 Oct 2010 15:42:31 +0800, Gergely Imreh <imrehg at gmail.com>
wrote:
> On 28 October 2010 14:59, Justin Davis <jrcd83 at gmail.com> wrote:
>> Pierre,
>> How is sending publicly available information unencrypted insecure? It
>> does not warrant a need for additional security in the first place. If
>> someone wants to see what comments you post on a package they go look
>> at the package's page. They don't have to sniff your traffic. I am
>> secure in my AUR traffic's triviality.
> 
> Please correct me if I'm wrong, it's not just about sniffing, it's
> about hijacking your session.
> Eg. one could record your logging in, then come back later, and orphan
> your packages (a "better" bad case), or update it with malicious code
> (a worse one) while it looks like it was you....
> Not saying one would do that, but if we are throwing around hypotheticals...
> 
> Cheers,
>    Greg

Yes, https is not only about preventing others from reading the
transmitted data. It's also about making sure data was sent from the
correct server and hasn't been altered. E.g. nobody has injected some
code. Only encrypting the login page does not help much.

The session itself has to be send unencrypted and can be hijacked. Only
encrypting when one is login makes it unconvinced for users as they
always would have add the s to http (or click a link) if visiting a link
etc..

As for the server load: that's not true these days. There are some
studies from Google when they switched to https and also from my own
experience the increased load is not that significant to argue about.

In general I think it's a good idea that we now use https for most
sites and we shouldn't discuss about if that is sane or not but why are
some clients unable to handle it.

-- 
Pierre Schmitz, https://users.archlinux.de/~pierre


More information about the aur-general mailing list