On Sat, 6 Aug 2011 14:07:34 +0200, Lukas Fleischer wrote: > On Sat, Aug 06, 2011 at 01:40:38PM +0200, Pierre Schmitz wrote: >> On Sat, 6 Aug 2011 04:30:09 -0400, Loui Chang wrote: >> > This is why the redirects are also a charade. >> > If Bob requests http://aur.archlinux.org but is redirected to >> > http://aur.archlinux.frank.org rather than https://aur.archlinux.org >> > he is probably expecting http anyways and may not bat an eye. >> >> HSTS tries to address this issue. At least regular users will be >> secured by using this. > > That is crap. HSTS alone won't fix this at all. If the response to the > first HTTP request is already injected, the browser won't even see the > HSTS headers at all. As a said before, the certificate itself is the > only feature that allows for checking authenticity here.
Neither I nor the HSTS website tells you that this is about securing the first http request. That's why I said this will only secure regular users. Also you should note that this is only a small step to make things a little more secure. Anyway; this is going nowhere. So if the TUs and AUR users prefer less security somehow there is not much I can do about it. All arguments haven been described so now it's up to you to decide whether to ignore them or not. Greetings, Pierre -- Pierre Schmitz, https://users.archlinux.de/~pierre
