On 3 September 2011 23:49, Gordon JC Pearce <[email protected]> wrote: > One is that https is painfully slow over slow or unreliable connections (GPRS > springs to mind; 3G service is patchy here). > The other is that switching to https has left AUR in a fundamentally broken > state. If you search for a package on AUR with any of the significant search > engines, they return an http link. You can't do anything with this, though, > because *even if you're logged in* you get the "ZOMG OH NOES YOU AREN'T USING > HTTPS AND HTTPS IS TEH AWSUM!!!!11!!11!" message. > Now, if clicking on that took you *to the same page but with https* that > would be fine, but it doesn't. It unceremoniously dumps you on the index > page for AUR, with no way to get back to the package that you googled. > > So, the only way to use AUR from (say) Google is to search for a package, > click on it, copy the address from the bar, click on the https login link, > log in (since even if you're logged in, visiting the http page seems to log > you out), then paste the address you got from the search engine into the > address bar, edit it to go to https, then hit return. This is hardly a > seamless user experience, but it ought to be trivial to fix. > > Sort it the fuck out. > > If you want me to put my money where my mouth is and contribute some code, > then just ask.
You may want to file a bug report against the AUR project (or the entire site) at http://bugs.archlinux.org/ If I just want to browse a domain or subdomain as a guest I wouldn't want to deal with httpS because (1) it slows down my inherently slow connection (think GPRS/EDGE/2G) and (2) I'm not even logged in to want to protect any kind of credential. As it is currently, the Arch Linux sites are enforcing HTTPS and so even if I don't want SECURE, I have to deal with it. I didn't speak up against this before because (1) I wasn't surfing around much and (2) I didn't think my opinion/case would matter and (3) I don't even have the sufficient technical knowledge to debate this sort of thing. At the end of the day, though, SECURE for logins is definitely good, but a lot of sites give the user an option to either disable or enable httpS, eg. Google (GMail; GMail for Mobile) and WordPress. I also know some sites where they only redirect "paying" or "deluxe" users to HTTPS after/during login. So even if you don't care about your password, it's good to have HTTPS, just to be safe. -- GPG/PGP ID: 8AADBB10
