[aur-general] Securing the AUR website

Lukas Fleischer archlinux at cryptocrack.de
Sun Aug 7 06:09:43 EDT 2011


On Sun, Aug 07, 2011 at 11:31:58AM +0200, Thomas Bächler wrote:
> Am 06.08.2011 14:32, schrieb Lukas Fleischer:
> > For all tl;dr guys around. This is my proposal:
> > 
> > * Use HTTPs links by default (this is already implemented).
> > 
> > * Enable secure cookies.
> > 
> > * Disallow HTTP login (or at least print a big, fat warning if a user
> >   tries to login via HTTP).
> 
> I would really go with "disallow". Don't even show a login form, just a
> link that directs to https _before_ being able to enter a password.

Yes, I will make this configurable (via "config.inc.php") but "disallow"
will be the default value and the value used in the AUR setup on sigurd.

> 
> > * Possibly use HSTS.
> > 
> > This should fix all possible vulnerabilities related to HTTPs we can
> > actually fix. Let me know if I missed something.
> > 
> 
> Yes, the list looks complete.

Thanks for reviewing!


More information about the aur-general mailing list