Excerpts from Thomas Bächler's message of 2011-09-01 14:16:20 +0200:
Am 01.09.2011 13:01, schrieb Lukas Fleischer:
archlinux.org -> http -> no login anyway bbs.archlinux.org -> https -> separate login page wiki.archlinux.org -> https -> separate login page bugs.archlinux.org -> https -> login on main page aur.archlinux.org -> http -> login on main page
As you can see, AUR is the fish out of water here, login is on the arrival page, but you can't log in by default. I'm sorry to make the suggestion this late, but I'd vote for https as default for AUR.
HTTPs is the default - unless you request the HTTP version explicitly. I know that some of the navigation bar links aren't updated yet. I sent a patch for Flyspray to Pierre, and also asked him to update the header include used in our cgit setup. It should be only a matter of time until all links are up-to-date.
When I type aur.archlinux.org in firefox I get the http version, that's what I mean by default. Thanks for your efforts to secure AUR.
Yeah, you request the HTTP version (your browser does this automatically if you skip the protocol part), so this is kind of expected behaviour. We could introduce an HTTPs redirect for the AUR home page. Not sure if that is the right thing to do, though.
I'd like to remind everyone again that Arch Linux is now included in the https-everywhere default rules, see [1]. This will always redirect you to https on every Arch Linux site (even releng, www, planet, where it isn't actually needed).
Do I understand it correctly that https-everywhere goes through a lot of trouble (browser-plugin with whitelist and custom rules for every page) for what could be achieved by simply defaulting to https?