[aur-general] Securing the AUR website

[Lukas Fleischer]

On Sat, Aug 06, 2011 at 11:21:47AM +0200, Pierre Schmitz wrote:
> On Fri, 5 Aug 2011 19:22:21 -0400, Loui Chang wrote:
> > If I recall correctly some time after that debate/argument there was a
> > problem with certificates and wget
> 
> Wget was broken, yes. But this is fixed by now.
> 
> > - a problem that was supposedly
> > impossible. Anyways, the redirect is Really God Damned Annoying. If I
> > ask for HTTP please give me HTTP. If I ask for ssl on top give me that.
> > Please don't employ hacky rules in the web server config.
> 
> That is a strange argument. First of all why would you explicitly
> decide against encryption? And more important: Most users don't decide
> using to HTTP. This decision is made by links theyy click or their
> browser when typing in the URL directly.

* Because there might be sucky applications on crappy embedded devices
  that do not support HTTPs (although I doubt there's actually a lot of
  these).

* Because there's some overhead.

* I know these aren't strong arguments, but even having no real reason
  against encryption doesn't mean that we should disable HTTP if there's
  no real objection against using HTTP with reason as well.

> 
> > That redirect is subject to a MITM attack just as well. A user might not
> > even notice that they've been redirected to another site. If you really
> > want to promote security don't even respond to requests on port 80.
> 
> This argument is hard to follow. So you say using no encryption will
> lower the chance of mtm attacks? Not responding on port 80 is a bad idea
> as browser will try this port first and there are a lot of old links
> around.
> 
> > I agree that encryption should be recommended, but not forced.
> 
> Maybe forcing is a bad word here. Its more about ensuring security. ATM
> http is recommend and I bet most users use the AUR unencrypted atm.

We already discussed that this will change.