[aur-general] Securing the AUR website
Pierre Schmitz
pierre at archlinux.de
Sat Aug 6 05:10:48 EDT 2011
On Sat, 6 Aug 2011 02:29:13 +0200, Lukas Fleischer wrote:
> Agreed. I'm still against completely disabling HTTP. We will use HTTPs
> for all links by default so there shouldn't be any users unintentionally
> pasting HTTP links anywhere. Malicious links might still be an issue but
> observant users should be aware of that. And using secure cookies should
> fix that, anyway.
I didn't tell to disable HTTP. Of course you add a redirect there and
you might even add the HSTS header. It's not only about links, also
people will just typoe in "aur.archlinux.org" into their browser bar and
that will open http by default.
Anyway, I see I am talking to walls here. Sometimes I wonder why there
is so much resistance against encryption. One would think it was the
other way round.
--
Pierre Schmitz, https://users.archlinux.de/~pierre
More information about the aur-general
mailing list