<p>IMHO all links for registered/possible authenticated users should be https to make sure that they do not accidently use http and become a victim of a man-in-the-middle attack. Especially with openstreetmap I assume it is very common to use insecure wifi networks for example at conferences or in restaurants to contribute to it. Therefore it would be quite easy for attackers to read unencrypted traffic in these situations.<br>
I do not know ruby on rails very good - does the notification code have access to the information about the request that triggered it so it can use the same protocol here?</p>

<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br />You are receiving this because you are subscribed to this thread.<br />Reply to this email directly, <a href="https://github.com/openstreetmap/openstreetmap-website/pull/1341#issuecomment-256380632">view it on GitHub</a>, or <a href="https://github.com/notifications/unsubscribe-auth/ABWnLeyRo_rUyRGnk-pnStYlYbg79laZks5q32_ogaJpZM4KhSPK">mute the thread</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/ABWnLarGU7B_VHXUOVvzKS8DAwuPS6yXks5q32_ogaJpZM4KhSPK.gif" width="1" /></p>
<div itemscope itemtype="http://schema.org/EmailMessage">
<div itemprop="action" itemscope itemtype="http://schema.org/ViewAction">
  <link itemprop="url" href="https://github.com/openstreetmap/openstreetmap-website/pull/1341#issuecomment-256380632"></link>
  <meta itemprop="name" content="View Pull Request"></meta>
</div>
<meta itemprop="description" content="View this Pull Request on GitHub"></meta>
</div>

<script type="application/json" data-scope="inboxmarkup">{"api_version":"1.0","publisher":{"api_key":"05dde50f1d1a384dd78767c55493e4bb","name":"GitHub"},"entity":{"external_key":"github/openstreetmap/openstreetmap-website","title":"openstreetmap/openstreetmap-website","subtitle":"GitHub repository","main_image_url":"https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png","avatar_image_url":"https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png","action":{"name":"Open in GitHub","url":"https://github.com/openstreetmap/openstreetmap-website"}},"updates":{"snippets":[{"icon":"PERSON","message":"@tyll in #1341: IMHO all links for registered/possible authenticated users should be https to make sure that they do not accidently use http and become a victim of a man-in-the-middle attack. Especially with openstreetmap I assume it is very common to use insecure wifi networks for example at conferences or in restaurants to contribute to it. Therefore it would be quite easy for attackers to read unencrypted traffic in these situations.\r\nI do not know ruby on rails very good - does the notification code have access to the information about the request that triggered it so it can use the same protocol here?\r\n"}],"action":{"name":"View Pull Request","url":"https://github.com/openstreetmap/openstreetmap-website/pull/1341#issuecomment-256380632"}}}</script>