On 10/28/2010 08:59 AM, Justin Davis wrote:
On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz<[email protected]> wrote:
On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru<[email protected]>
wrote:
As i said earlier in a reply to Loui, maybe we can do it
better.Having https only for login and then redirecting to http is
like not having it at all.
Ionut,
This is a ridiculous claim. Maybe we should tell that to amazon,
newegg, and oh I don't know... 99% of websites on the planet? Most
sites use https only for logins and transactions. Publicly available
information like aur comments, aur packages, images, etc don't really
need encryption. Just about everything sent to/from the AUR is not
sensitive information. Except login passwords. I would be pissed off
if amazon had the same point of view. What if amazon decided that
their https for logins and credit cards was the same as not having it
at all and removed it?
Your browser sends your session-id with every request. It would be
extremely easy to sniff the session-id, configure your browser to use
if, and do malicious actions.
This also works if the AUR associates session-ids with the IP of the
user: The attacker could use the same NAT-gateway as the user.
Regards, PyroPeter
--
freenode/pyropeter "12:50 - Ich drücke Return."
