On Sat 06 Aug 2011 02:18 +0200, Lukas Fleischer wrote:
On Sat, Aug 06, 2011 at 01:16:45AM +0300, Ionut Biru wrote:
On 08/06/2011 12:54 AM, Lukas Fleischer wrote:
To prevent session hijacking, mtm attacks or whatnot I'd recommend the following:
- Redirect all http traffic to https by default
We won't do that. HTTPs will be the default but we won't force users to use HTTPs. If you decide to use HTTP intentionally, we won't prevent you from doing so. HTTPs implies an unnecessary overhead and there's no point in forcing everybody to use HTTPs even if one doesn't even have an AUR account.
That reason is a bit childish. We had this discussion 1 year ago and only you and Loui were against.
Seriously now, why you are against https? Do you use some aur helper that is broken and uses http and cannot handle redirect well?
Dude, please stick to the facts. Iirc, I didn't even interfere in the last HTTPs discussion and I nowhere mentioned being against HTTPs. I am totally for making HTTPs the default, I'm just against enforcing it. As you can see, I even committed a few patches replacing all links the AUR ever spits out by HTTPs ones. Everything else is only a matter of server configuration and I am against disabling plain HTTP here.
Is there any *real* reason to do that? Even archweb doesn't do that and I don't understand the concerns here. Every half-attentive should be perfectly fine with how we do it in current master. And in case you're really, really paranoid, just setup a proxy that blocks HTTP connections to the AUR.
If I recall correctly some time after that debate/argument there was a problem with certificates and wget - a problem that was supposedly impossible. Anyways, the redirect is Really God Damned Annoying. If I ask for HTTP please give me HTTP. If I ask for ssl on top give me that. Please don't employ hacky rules in the web server config.
That redirect is subject to a MITM attack just as well. A user might not even notice that they've been redirected to another site. If you really want to promote security don't even respond to requests on port 80.
I agree that encryption should be recommended, but not forced.