[aur-general] Securing the AUR website
hollunder at lavabit.com
Thu Sep 1 11:55:57 EDT 2011
Excerpts from Thomas Bächler's message of 2011-09-01 14:16:20 +0200:
> Am 01.09.2011 13:01, schrieb Lukas Fleischer:
> >>>> archlinux.org -> http -> no login anyway
> >>>> bbs.archlinux.org -> https -> separate login page
> >>>> wiki.archlinux.org -> https -> separate login page
> >>>> bugs.archlinux.org -> https -> login on main page
> >>>> aur.archlinux.org -> http -> login on main page
> >>>> As you can see, AUR is the fish out of water here, login is on the
> >>>> arrival page, but you can't log in by default. I'm sorry to make the
> >>>> suggestion this late, but I'd vote for https as default for AUR.
> >>> HTTPs is the default - unless you request the HTTP version explicitly. I
> >>> know that some of the navigation bar links aren't updated yet. I sent a
> >>> patch for Flyspray to Pierre, and also asked him to update the header
> >>> include used in our cgit setup. It should be only a matter of time until
> >>> all links are up-to-date.
> >> When I type aur.archlinux.org in firefox I get the http version, that's
> >> what I mean by default. Thanks for your efforts to secure AUR.
> > Yeah, you request the HTTP version (your browser does this automatically
> > if you skip the protocol part), so this is kind of expected behaviour.
> > We could introduce an HTTPs redirect for the AUR home page. Not sure if
> > that is the right thing to do, though.
> I'd like to remind everyone again that Arch Linux is now included in the
> https-everywhere default rules, see . This will always redirect you
> to https on every Arch Linux site (even releng, www, planet, where it
> isn't actually needed).
>  https://www.eff.org/https-everywhere/
Do I understand it correctly that https-everywhere goes through a lot of
trouble (browser-plugin with whitelist and custom rules for every page)
for what could be achieved by simply defaulting to https?
More information about the aur-general