Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#30486 - {archweb} Header navigation links have inconsistent HTTPS usage

Attached to Project: Arch Linux
Opened by jstjohn (jstjohn) - Friday, 29 June 2012, 14:57 GMT
Last edited by Dan McGee (toofishes) - Sunday, 21 October 2012, 16:00 GMT
Task Type Bug Report
Category Web Sites
Status Closed
Assigned To Dan McGee (toofishes)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No


When browsing around the Arch web site, I noticed that the header navigation bar's links have inconsistent HTTPS usage. My primary issue is that if you start browsing from the Arch web site using HTTPS, and if you click certain nav. bar links, you will end up on a regular HTTP version of the site.

For example, go to , then click "Home", and notice that you aren't browsing via HTTPS anymore.

The nav. bar links for "Home", "Packages", and "Download" have this issue when viewing the forums, the ArchWiki, the bug tracker, and the AUR.
This task depends upon

Closed by  Dan McGee (toofishes)
Sunday, 21 October 2012, 16:00 GMT
Reason for closing:  Implemented
Additional comments about closing:  Main site is now HTTPS only. Links will slowly get updated but redirects are in place to keep you on https.
Comment by Ionut Biru (wonder) - Friday, 29 June 2012, 15:22 GMT
non of those pages require a login to send credentials.
Comment by Massimiliano Torromeo (mtorromeo) - Friday, 29 June 2012, 15:26 GMT
While login pages are the most critical sections, there are reasons to protect the comunication on every other page.
Comment by Dan McGee (toofishes) - Sunday, 01 July 2012, 17:07 GMT
What Ionut meant was that none of Download, Packages, or the home page require any sort of login or have any sort of cookie for the general user. So the reasons to protect the communication is not really there as far as session hijacking and other things goes.

With that said, I will probably be converting the site to use HTTPS all the time in the next month or so.