[aur-general] Securing the AUR website
matej.lach at gmail.com
Thu Sep 1 06:58:46 EDT 2011
On 01/09/11 11:51, Philipp Überbacher wrote:
> Excerpts from Lukas Fleischer's message of 2011-09-01 12:32:03 +0200:
>> On Thu, Sep 01, 2011 at 12:13:53PM +0200, Philipp Überbacher wrote:
>>> Excerpts from Lukas Fleischer's message of 2011-08-06 12:14:14 +0200:
>>>> On Sat, Aug 06, 2011 at 11:10:48AM +0200, Pierre Schmitz wrote:
>>>>> On Sat, 6 Aug 2011 02:29:13 +0200, Lukas Fleischer wrote:
>>>>>> Agreed. I'm still against completely disabling HTTP. We will use HTTPs
>>>>>> for all links by default so there shouldn't be any users unintentionally
>>>>>> pasting HTTP links anywhere. Malicious links might still be an issue but
>>>>>> observant users should be aware of that. And using secure cookies should
>>>>>> fix that, anyway.
>>>>> I didn't tell to disable HTTP. Of course you add a redirect there and
>>>>> you might even add the HSTS header. It's not only about links, also
>>>>> people will just typoe in "aur.archlinux.org" into their browser bar and
>>>>> that will open http by default.
>>>> Well, "Redirect all http traffic to https by default" sounded to me like
>>>> disabling plain HTTP. Perhaps I took this too literally.
>>>>> Anyway, I see I am talking to walls here. Sometimes I wonder why there
>>>>> is so much resistance against encryption. One would think it was the
>>>>> other way round.
>>>> Again, and I'm not going to repeat this... I am not against enabling
>>>> encryption and I am not against making it the default. All I said is
>>>> that we shouldn't turn down HTTP.
>>> I sadly followed this discussion only remotely when it was ongoing, so I
>>> have to ask: The agreed upon solution for now is to default to http and
>>> only allow login from https? At least that's how it is at the moment and
>>> the http default feels a bit weird to me. When I can only log in with
>>> https I get the feeling I should use https and wonder why it isn't the
>>> default. I had a look at other parts of the Arch Linux website as well,
>>> here's an overview of the defaults:
>>> archlinux.org -> http -> no login anyway
>>> bbs.archlinux.org -> https -> separate login page
>>> wiki.archlinux.org -> https -> separate login page
>>> bugs.archlinux.org -> https -> login on main page
>>> aur.archlinux.org -> http -> login on main page
>>> As you can see, AUR is the fish out of water here, login is on the
>>> arrival page, but you can't log in by default. I'm sorry to make the
>>> suggestion this late, but I'd vote for https as default for AUR.
>> HTTPs is the default - unless you request the HTTP version explicitly. I
>> know that some of the navigation bar links aren't updated yet. I sent a
>> patch for Flyspray to Pierre, and also asked him to update the header
>> include used in our cgit setup. It should be only a matter of time until
>> all links are up-to-date.
> When I type aur.archlinux.org in firefox I get the http version, that's
> what I mean by default. Thanks for your efforts to secure AUR.
When I visit aur.archlinux.org I get the https version (chromium).
Try to clean your firefox cache...
More information about the aur-general