[aur-general] aur website default ssl

[Malte Rabenseifner]

On Thu, 28 Oct 2010 15:42:31 +0800, Gergely Imreh <imrehg at gmail.com>
wrote:
> On 28 October 2010 14:59, Justin Davis <jrcd83 at gmail.com> wrote:
>> On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz <pierre at archlinux.de> wrote:
>>> On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru <ibiru at archlinux.org>
>>> wrote:
>>
>>>> As i said earlier in a reply to Loui, maybe we can do it
>>>> better.Having https only for login and then redirecting to http is
>>>> like not having it at all.
>>
>> Ionut,
>> This is a ridiculous claim. Maybe we should tell that to amazon,
>> newegg, and oh I don't know... 99% of websites on the planet? Most
>> sites use https only for logins and transactions. Publicly available
>> information like aur comments, aur packages, images, etc don't really
>> need encryption. Just about everything sent to/from the AUR is not
>> sensitive information. Except login passwords. I would be pissed off
>> if amazon had the same point of view. What if amazon decided that
>> their https for logins and credit cards was the same as not having it
>> at all and removed it?
> 
> As the discussion gets more technical, it is good to see what the
> people who actually know all about these issues have to say. I think
> it is very education (well, for me at least) to read Firesheep's
> author's comment on the people's reactions, and how there are many bad
> solutions that look like good ones. Eg. the "Why is it hard to stay
> safe - Forced SSL/HTTPS for posting of Login/Password credentials
> only" section.
> http://codebutler.com/firesheep-a-day-later
> 
> Re: Amazon and others, just because the big guys do it, does not mean
> they do it right.
> 
>>> Simply using https for all connections is the easiest and best solution
>>> imho. Everything in between is either insecure or inconvenient for the
>>> users. And I also don't see the need for it. Every sane http client
>>> should handle a http redirect and https. If it does not it's just a bug
>>> in the client. Of course it is unfortunate that this wasn't tested by
>>> the clyde author before.
>>
>> Pierre,
>> How is sending publicly available information unencrypted insecure? It
>> does not warrant a need for additional security in the first place. If
>> someone wants to see what comments you post on a package they go look
>> at the package's page. They don't have to sniff your traffic. I am
>> secure in my AUR traffic's triviality.
> 
> Please correct me if I'm wrong, it's not just about sniffing, it's
> about hijacking your session.
> Eg. one could record your logging in, then come back later, and orphan
> your packages (a "better" bad case), or update it with malicious code
> (a worse one) while it looks like it was you....
> Not saying one would do that, but if we are throwing around hypotheticals...
> 
> Cheers,
>    Greg


I am sitting in a (switched) network with over 1000 clients day for
day. I really like the idea of having full-forced-TLS-encryption on
websites. It is the only save way I can be sure that noone is sniffing
my traffic with a simple arp-spoof. I don't care that other people know
what sites I visit (I have a Facebook account and use the "Like"
buttons, that says all) but I care that there could be someone in this
building who has control over my traffic (whatever his reason may be).
Therefore I agree to Greg's statement above and stronly disagree to
Justin's. It is not about getting information that is public none the
less. It is simply not the right way to get it and should be prevented.
One user +1 from me for https-only on all Arch websites (in the hope the
servers can handle that).

-- 
Malte Rabenseifner, Germany
mail at malte-rabenseifner.de
--
Beneath knowing, understanding.
Beneath understanding, seeing.
Beneath seeing, recognizing.
Beneath recognizing, knowing.
--