[aur-general] Securing the AUR website

Pierre Schmitz pierre at archlinux.de
Fri Aug 5 18:09:34 EDT 2011

On Fri, 5 Aug 2011 23:54:57 +0200, Lukas Fleischer wrote:
> We won't do that. HTTPs will be the default but we won't force users to
> use HTTPs. If you decide to use HTTP intentionally, we won't prevent you
> from doing so. HTTPs implies an unnecessary overhead and there's no
> point in forcing everybody to use HTTPs even if one doesn't even have an
> AUR account.

Seriously the overhead is negligible, on client as on sever side. Even
for those who don't have an AUR account, https would prevent anybody
else injecting code. But those wont matter anyway because securing those
who have an account should be priority. At least ensure that cookies are
never sent unencrypted.

> That is kind of fixed in Git (again, check [1], [2], [3] and [4]).
> [1] http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57
> [2] http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19
> [3] http://projects.archlinux.org/aur.git/commit/?id=973e4f85
> [4] http://projects.archlinux.org/aur.git/commit/?id=89721137

None of these patches fixes the issue that session data will still be
send unencrypted. This is a real world issue; even if you login using
https it wont be unlikely that you later will visit the site unencrypted
(by clicking on a link or some resource you forgot to send via https). 



Pierre Schmitz, https://users.archlinux.de/~pierre

More information about the aur-general mailing list