[aur-general] Securing the AUR website
Loui Chang
louipc.ist at gmail.com
Sat Aug 6 04:30:54 EDT 2011
On Sat 06 Aug 2011 11:21 +0200, Pierre Schmitz wrote:
> On Fri, 5 Aug 2011 19:22:21 -0400, Loui Chang wrote:
> > If I recall correctly some time after that debate/argument there was a
> > problem with certificates and wget
>
> Wget was broken, yes. But this is fixed by now.
>
> > - a problem that was supposedly
> > impossible. Anyways, the redirect is Really God Damned Annoying. If I
> > ask for HTTP please give me HTTP. If I ask for ssl on top give me that.
> > Please don't employ hacky rules in the web server config.
>
> That is a strange argument. First of all why would you explicitly
> decide against encryption? And more important: Most users don't decide
> using to HTTP. This decision is made by links theyy click or their
> browser when typing in the URL directly.
Right. Let me make that decision myself. Thanks.
I would decide against encryption if I have problems with ssl so that I
can just go ahead and retrieve the PKGBUILDs that I need to do my job.
I manually review their authenticity anyhow.
> > That redirect is subject to a MITM attack just as well. A user might not
> > even notice that they've been redirected to another site. If you really
> > want to promote security don't even respond to requests on port 80.
>
> This argument is hard to follow. So you say using no encryption will
> lower the chance of mtm attacks? Not responding on port 80 is a bad idea
> as browser will try this port first and there are a lot of old links
> around.
Users may get a false sense of security with the redirect. I'm saying
that having that redirect doesn't change the chance of mitm attacks. An
attacker will impersonate the Arch server from the http onward and all
your ssl is for nothing. If you're worried about old links then you can
serve a page saying that http is no longer supported, so people can
figure out what's going on. Increased security usually involves
some discomfort.
> > I agree that encryption should be recommended, but not forced.
>
> Maybe forcing is a bad word here. Its more about ensuring security. ATM
> http is recommend and I bet most users use the AUR unencrypted atm.
Yeah the links just need to be updated to recommend ssl.
More information about the aur-general
mailing list