[aur-general] Securing the AUR website
hollunder at lavabit.com
Thu Sep 1 06:51:24 EDT 2011
Excerpts from Lukas Fleischer's message of 2011-09-01 12:32:03 +0200:
> On Thu, Sep 01, 2011 at 12:13:53PM +0200, Philipp Überbacher wrote:
> > Excerpts from Lukas Fleischer's message of 2011-08-06 12:14:14 +0200:
> > > On Sat, Aug 06, 2011 at 11:10:48AM +0200, Pierre Schmitz wrote:
> > > > On Sat, 6 Aug 2011 02:29:13 +0200, Lukas Fleischer wrote:
> > > > > Agreed. I'm still against completely disabling HTTP. We will use HTTPs
> > > > > for all links by default so there shouldn't be any users unintentionally
> > > > > pasting HTTP links anywhere. Malicious links might still be an issue but
> > > > > observant users should be aware of that. And using secure cookies should
> > > > > fix that, anyway.
> > > >
> > > > I didn't tell to disable HTTP. Of course you add a redirect there and
> > > > you might even add the HSTS header. It's not only about links, also
> > > > people will just typoe in "aur.archlinux.org" into their browser bar and
> > > > that will open http by default.
> > >
> > > Well, "Redirect all http traffic to https by default" sounded to me like
> > > disabling plain HTTP. Perhaps I took this too literally.
> > >
> > > >
> > > > Anyway, I see I am talking to walls here. Sometimes I wonder why there
> > > > is so much resistance against encryption. One would think it was the
> > > > other way round.
> > >
> > > Again, and I'm not going to repeat this... I am not against enabling
> > > encryption and I am not against making it the default. All I said is
> > > that we shouldn't turn down HTTP.
> > I sadly followed this discussion only remotely when it was ongoing, so I
> > have to ask: The agreed upon solution for now is to default to http and
> > only allow login from https? At least that's how it is at the moment and
> > the http default feels a bit weird to me. When I can only log in with
> > https I get the feeling I should use https and wonder why it isn't the
> > default. I had a look at other parts of the Arch Linux website as well,
> > here's an overview of the defaults:
> > archlinux.org -> http -> no login anyway
> > bbs.archlinux.org -> https -> separate login page
> > wiki.archlinux.org -> https -> separate login page
> > bugs.archlinux.org -> https -> login on main page
> > aur.archlinux.org -> http -> login on main page
> > As you can see, AUR is the fish out of water here, login is on the
> > arrival page, but you can't log in by default. I'm sorry to make the
> > suggestion this late, but I'd vote for https as default for AUR.
> HTTPs is the default - unless you request the HTTP version explicitly. I
> know that some of the navigation bar links aren't updated yet. I sent a
> patch for Flyspray to Pierre, and also asked him to update the header
> include used in our cgit setup. It should be only a matter of time until
> all links are up-to-date.
When I type aur.archlinux.org in firefox I get the http version, that's
what I mean by default. Thanks for your efforts to secure AUR.
More information about the aur-general