[aur-general] Securing the AUR website

Loui Chang louipc.ist at gmail.com
Fri Aug 5 19:22:21 EDT 2011


On Sat 06 Aug 2011 02:18 +0200, Lukas Fleischer wrote:
> On Sat, Aug 06, 2011 at 01:16:45AM +0300, Ionut Biru wrote:
> > On 08/06/2011 12:54 AM, Lukas Fleischer wrote:
> > 
> > >>
> > >>To prevent session hijacking, mtm attacks or whatnot I'd recommend the
> > >>following:
> > >>* Redirect all http traffic to https by default
> > >
> > >We won't do that. HTTPs will be the default but we won't force users to
> > >use HTTPs. If you decide to use HTTP intentionally, we won't prevent you
> > >from doing so. HTTPs implies an unnecessary overhead and there's no
> > >point in forcing everybody to use HTTPs even if one doesn't even have an
> > >AUR account.
> > 
> > That reason is a bit childish. We had this discussion 1 year ago and
> > only you and Loui were against.
> > 
> > Seriously now, why you are against https? Do you use some aur helper
> > that is broken and uses http and cannot handle redirect well?
> 
> Dude, please stick to the facts. Iirc, I didn't even interfere in the
> last HTTPs discussion and I nowhere mentioned being against HTTPs. I am
> totally for making HTTPs the default, I'm just against enforcing it. As
> you can see, I even committed a few patches replacing all links the AUR
> ever spits out by HTTPs ones. Everything else is only a matter of server
> configuration and I am against disabling plain HTTP here.
> 
> Is there any *real* reason to do that? Even archweb doesn't do that and
> I don't understand the concerns here. Every half-attentive should be
> perfectly fine with how we do it in current master. And in case you're
> really, really paranoid, just setup a proxy that blocks HTTP connections
> to the AUR.

If I recall correctly some time after that debate/argument there was a
problem with certificates and wget - a problem that was supposedly
impossible. Anyways, the redirect is Really God Damned Annoying. If I
ask for HTTP please give me HTTP. If I ask for ssl on top give me that.
Please don't employ hacky rules in the web server config.

That redirect is subject to a MITM attack just as well. A user might not
even notice that they've been redirected to another site. If you really
want to promote security don't even respond to requests on port 80.

I agree that encryption should be recommended, but not forced.



More information about the aur-general mailing list