serve anonymous pages over http rather than https
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Won't Fix
|
Low
|
Unassigned | ||
Bug Description
As a smaller slice than bug 46591, Launchpad could serve content to anonymous (non-logged-in) users over http, rather than redirecting to https.
Anonymous users by definition cannot see private content, and can make few (if any?) changes to the server state.
Pros:
* these requests would probably load faster, and put less load on the server
* likewise for robots crawling Launchpad
* these pages could be more easily cached by squid and in the client's disk cache, further improving the load and response time, and reducing db load
* this is easier and arguably safer than serving authenticated content in the clear pre 46591, and would give us some experience towards it
Cons:
* serious users of Launchpad are likely to be logged in and this won't help them, except indirectly through reducing server load
* people may do mitm attacks against the login page (but they could do that already against the http->https redirect)
(This was discussed at the February 2009 São Carlos team leads sprint.)
| description: | updated |
| Changed in launchpad-foundations: | |
| status: | New → Triaged |
| importance: | Undecided → Low |
| Robert Collins (lifeless) wrote | #1 |
| Changed in launchpad: | |
| status: | Triaged → Won't Fix |
We need to work fast for logged in users with access to confidential data; if we're fast for those users, theres no reason to have complexity around http for anonymous users, because we'll be fast for them too on https.