[aur-general] Securing the AUR website

Lukas Fleischer archlinux at cryptocrack.de
Thu Sep 1 06:32:03 EDT 2011 

On Thu, Sep 01, 2011 at 12:13:53PM +0200, Philipp Überbacher wrote:
> Excerpts from Lukas Fleischer's message of 2011-08-06 12:14:14 +0200:
> > On Sat, Aug 06, 2011 at 11:10:48AM +0200, Pierre Schmitz wrote:
> > > On Sat, 6 Aug 2011 02:29:13 +0200, Lukas Fleischer wrote:
> > > > Agreed. I'm still against completely disabling HTTP. We will use HTTPs
> > > > for all links by default so there shouldn't be any users unintentionally
> > > > pasting HTTP links anywhere. Malicious links might still be an issue but
> > > > observant users should be aware of that. And using secure cookies should
> > > > fix that, anyway.
> > > 
> > > I didn't tell to disable HTTP. Of course you add a redirect there and
> > > you might even add the HSTS header. It's not only about links, also
> > > people will just typoe in "aur.archlinux.org" into their browser bar and
> > > that will open http by default.
> > 
> > Well, "Redirect all http traffic to https by default" sounded to me like
> > disabling plain HTTP. Perhaps I took this too literally.
> > 
> > > 
> > > Anyway, I see I am talking to walls here. Sometimes I wonder why there
> > > is so much resistance against encryption. One would think it was the
> > > other way round. 
> > 
> > Again, and I'm not going to repeat this... I am not against enabling
> > encryption and I am not against making it the default. All I said is
> > that we shouldn't turn down HTTP.
> 
> I sadly followed this discussion only remotely when it was ongoing, so I
> have to ask: The agreed upon solution for now is to default to http and
> only allow login from https? At least that's how it is at the moment and
> the http default feels a bit weird to me. When I can only log in with
> https I get the feeling I should use https and wonder why it isn't the
> default. I had a look at other parts of the Arch Linux website as well,
> here's an overview of the defaults:
> 
> archlinux.org       -> http     -> no login anyway
> bbs.archlinux.org   -> https    -> separate login page
> wiki.archlinux.org  -> https    -> separate login page
> bugs.archlinux.org  -> https    -> login on main page
> aur.archlinux.org   -> http     -> login on main page
> 
> As you can see, AUR is the fish out of water here, login is on the
> arrival page, but you can't log in by default. I'm sorry to make the
> suggestion this late, but I'd vote for https as default for AUR.

HTTPs is the default - unless you request the HTTP version explicitly. I
know that some of the navigation bar links aren't updated yet. I sent a
patch for Flyspray to Pierre, and also asked him to update the header
include used in our cgit setup. It should be only a matter of time until
all links are up-to-date.

More information about the aur-general mailing list