[aur-general] Securing the AUR website

Philipp Überbacher hollunder at lavabit.com
Thu Sep 1 07:13:27 EDT 2011 

Excerpts from Lukas Fleischer's message of 2011-09-01 13:01:50 +0200:
> On Thu, Sep 01, 2011 at 12:51:24PM +0200, Philipp Überbacher wrote:
> > Excerpts from Lukas Fleischer's message of 2011-09-01 12:32:03 +0200:
> > > On Thu, Sep 01, 2011 at 12:13:53PM +0200, Philipp Überbacher wrote:
> > [...]
> > > > I sadly followed this discussion only remotely when it was ongoing, so I
> > > > have to ask: The agreed upon solution for now is to default to http and
> > > > only allow login from https? At least that's how it is at the moment and
> > > > the http default feels a bit weird to me. When I can only log in with
> > > > https I get the feeling I should use https and wonder why it isn't the
> > > > default. I had a look at other parts of the Arch Linux website as well,
> > > > here's an overview of the defaults:
> > > > 
> > > > archlinux.org       -> http     -> no login anyway
> > > > bbs.archlinux.org   -> https    -> separate login page
> > > > wiki.archlinux.org  -> https    -> separate login page
> > > > bugs.archlinux.org  -> https    -> login on main page
> > > > aur.archlinux.org   -> http     -> login on main page
> > > > 
> > > > As you can see, AUR is the fish out of water here, login is on the
> > > > arrival page, but you can't log in by default. I'm sorry to make the
> > > > suggestion this late, but I'd vote for https as default for AUR.
> > > 
> > > HTTPs is the default - unless you request the HTTP version explicitly. I
> > > know that some of the navigation bar links aren't updated yet. I sent a
> > > patch for Flyspray to Pierre, and also asked him to update the header
> > > include used in our cgit setup. It should be only a matter of time until
> > > all links are up-to-date.
> > 
> > When I type aur.archlinux.org in firefox I get the http version, that's
> > what I mean by default. Thanks for your efforts to secure AUR.
> 
> Yeah, you request the HTTP version (your browser does this automatically
> if you skip the protocol part), so this is kind of expected behaviour.
> We could introduce an HTTPs redirect for the AUR home page. Not sure if
> that is the right thing to do, though.

So it's a firefox default to try http first and the other parts of the
website redirect?

More information about the aur-general mailing list