[aur-general] Securing the AUR website
schiv at archlinux.org
Mon Sep 5 07:46:25 EDT 2011
On 3 September 2011 23:49, Gordon JC Pearce <gordonjcp at gjcp.net> wrote:
> One is that https is painfully slow over slow or unreliable connections (GPRS springs to mind; 3G service is patchy here).
> The other is that switching to https has left AUR in a fundamentally broken state. If you search for a package on AUR with any of the significant search engines, they return an http link. You can't do anything with this, though, because *even if you're logged in* you get the "ZOMG OH NOES YOU AREN'T USING HTTPS AND HTTPS IS TEH AWSUM!!!!11!!11!" message.
> Now, if clicking on that took you *to the same page but with https* that would be fine, but it doesn't. It unceremoniously dumps you on the index page for AUR, with no way to get back to the package that you googled.
> So, the only way to use AUR from (say) Google is to search for a package, click on it, copy the address from the bar, click on the https login link, log in (since even if you're logged in, visiting the http page seems to log you out), then paste the address you got from the search engine into the address bar, edit it to go to https, then hit return. This is hardly a seamless user experience, but it ought to be trivial to fix.
> Sort it the fuck out.
> If you want me to put my money where my mouth is and contribute some code, then just ask.
You may want to file a bug report against the AUR project (or the
entire site) at http://bugs.archlinux.org/
If I just want to browse a domain or subdomain as a guest I wouldn't
want to deal with httpS because (1) it slows down my inherently slow
connection (think GPRS/EDGE/2G) and (2) I'm not even logged in to want
to protect any kind of credential.
As it is currently, the Arch Linux sites are enforcing HTTPS and so
even if I don't want SECURE, I have to deal with it. I didn't speak up
against this before because (1) I wasn't surfing around much and (2) I
didn't think my opinion/case would matter and (3) I don't even have
the sufficient technical knowledge to debate this sort of thing.
At the end of the day, though, SECURE for logins is definitely good,
but a lot of sites give the user an option to either disable or enable
httpS, eg. Google (GMail; GMail for Mobile) and WordPress. I also know
some sites where they only redirect "paying" or "deluxe" users to
HTTPS after/during login.
So even if you don't care about your password, it's good to have
HTTPS, just to be safe.
GPG/PGP ID: 8AADBB10
More information about the aur-general