[aur-general] Securing the AUR website

Lukas Fleischer archlinux at cryptocrack.de
Sat Aug 6 06:14:14 EDT 2011


On Sat, Aug 06, 2011 at 11:10:48AM +0200, Pierre Schmitz wrote:
> On Sat, 6 Aug 2011 02:29:13 +0200, Lukas Fleischer wrote:
> > Agreed. I'm still against completely disabling HTTP. We will use HTTPs
> > for all links by default so there shouldn't be any users unintentionally
> > pasting HTTP links anywhere. Malicious links might still be an issue but
> > observant users should be aware of that. And using secure cookies should
> > fix that, anyway.
> 
> I didn't tell to disable HTTP. Of course you add a redirect there and
> you might even add the HSTS header. It's not only about links, also
> people will just typoe in "aur.archlinux.org" into their browser bar and
> that will open http by default.

Well, "Redirect all http traffic to https by default" sounded to me like
disabling plain HTTP. Perhaps I took this too literally.

> 
> Anyway, I see I am talking to walls here. Sometimes I wonder why there
> is so much resistance against encryption. One would think it was the
> other way round. 

Again, and I'm not going to repeat this... I am not against enabling
encryption and I am not against making it the default. All I said is
that we shouldn't turn down HTTP.


More information about the aur-general mailing list