serve anonymous pages over http rather than https
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Won't Fix
|
Low
|
Unassigned |
Bug Description
As a smaller slice than bug 46591, Launchpad could serve content to anonymous (non-logged-in) users over http, rather than redirecting to https.
Anonymous users by definition cannot see private content, and can make few (if any?) changes to the server state.
Pros:
* these requests would probably load faster, and put less load on the server
* likewise for robots crawling Launchpad
* these pages could be more easily cached by squid and in the client's disk cache, further improving the load and response time, and reducing db load
* this is easier and arguably safer than serving authenticated content in the clear pre 46591, and would give us some experience towards it
Cons:
* serious users of Launchpad are likely to be logged in and this won't help them, except indirectly through reducing server load
* people may do mitm attacks against the login page (but they could do that already against the http->https redirect)
(This was discussed at the February 2009 São Carlos team leads sprint.)
description: | updated |
Changed in launchpad-foundations: | |
status: | New → Triaged |
importance: | Undecided → Low |
We need to work fast for logged in users with access to confidential data; if we're fast for those users, theres no reason to have complexity around http for anonymous users, because we'll be fast for them too on https.