[aur-general] Securing the AUR website

[Pierre Schmitz]

On Fri, 5 Aug 2011 19:22:21 -0400, Loui Chang wrote:
> If I recall correctly some time after that debate/argument there was a
> problem with certificates and wget

Wget was broken, yes. But this is fixed by now.

> - a problem that was supposedly
> impossible. Anyways, the redirect is Really God Damned Annoying. If I
> ask for HTTP please give me HTTP. If I ask for ssl on top give me that.
> Please don't employ hacky rules in the web server config.

That is a strange argument. First of all why would you explicitly
decide against encryption? And more important: Most users don't decide
using to HTTP. This decision is made by links theyy click or their
browser when typing in the URL directly.

> That redirect is subject to a MITM attack just as well. A user might not
> even notice that they've been redirected to another site. If you really
> want to promote security don't even respond to requests on port 80.

This argument is hard to follow. So you say using no encryption will
lower the chance of mtm attacks? Not responding on port 80 is a bad idea
as browser will try this port first and there are a lot of old links
around.

> I agree that encryption should be recommended, but not forced.

Maybe forcing is a bad word here. Its more about ensuring security. ATM
http is recommend and I bet most users use the AUR unencrypted atm.

Greetings,

Pierre

-- 
Pierre Schmitz, https://users.archlinux.de/~pierre