[aur-general] Securing the AUR website

[Xyne]

Lukas Fleischer wrote:

> For all tl;dr guys around. This is my proposal:
> 
> * Use HTTPs links by default (this is already implemented).
> 
> * Enable secure cookies.
> 
> * Disallow HTTP login (or at least print a big, fat warning if a user
>   tries to login via HTTP).
> 
> * Possibly use HSTS.
> 
> This should fix all possible vulnerabilities related to HTTPs we can
> actually fix. Let me know if I missed something.

I've just read through all the threads but my reply is general so I'll post it
here.

First, I strongly support the use of methods and protocols that improve privacy
and security and I very much appreciate Pierre's and everyone else's efforts
here.

Most of Lukas' proposal looks good to me.

I propose that all requests from an external referrer be redirected to HTTPS to
catch users clicking onto the AUR via search engines. You could make this clear
via a redirection page that informs the user of the security benefits of using
HTTPS. Users who still wish to access the AUR via plain HTTP can still type in
the HTTP address once and then browse the site (but not log in) normally.

As already discussed, it might not avoid all threats but it does avoid some,
which is better than nothing, and blocking all HTTP would not be acceptable.

You could also add a warning to HTTP pages to notify users that HTTPS is
available and recommended (along with a link).

Alternatively, you could just add a warning to HTTP requests with no referrer,
i.e. requests typed directly into the address bar.

Regards,
Xyne