> > Ionut, > This is a ridiculous claim. Maybe we should tell that to amazon, > newegg, and oh I don't know... 99% of websites on the planet? Most > sites use https only for logins and transactions. Publicly available > information like aur comments, aur packages, images, etc don't really > need encryption. Just about everything sent to/from the AUR is not > sensitive information. Except login passwords. I would be pissed off > if amazon had the same point of view. What if amazon decided that > their https for logins and credit cards was the same as not having it > at all and removed it? > > > Simply using https for all connections is the easiest and best solution > > imho. Everything in between is either insecure or inconvenient for the > > users. And I also don't see the need for it. Every sane http client > > should handle a http redirect and https. If it does not it's just a bug > > in the client. Of course it is unfortunate that this wasn't tested by > > the clyde author before. > > Pierre, > How is sending publicly available information unencrypted insecure? It > does not warrant a need for additional security in the first place. If > someone wants to see what comments you post on a package they go look > at the package's page. They don't have to sniff your traffic. I am > secure in my AUR traffic's triviality. > > How is https for logins inconvenient for users? Forwarding between > http and https happens transparently on every major website. Most > people wouldn't know it was happening if it wasn't for the padlock > graphic. Many still don't.
True story; and a lot of server resources would be saved by not having to encrypt information that doesn't need to be encrypted. -- Kiwis and Limes: http://kaitocracy.blogspot.com/