On 01/09/11 11:51, Philipp Überbacher wrote:
Excerpts from Lukas Fleischer's message of 2011-09-01 12:32:03 +0200:
On Thu, Sep 01, 2011 at 12:13:53PM +0200, Philipp Überbacher wrote:
Excerpts from Lukas Fleischer's message of 2011-08-06 12:14:14 +0200:
On Sat, Aug 06, 2011 at 11:10:48AM +0200, Pierre Schmitz wrote:
On Sat, 6 Aug 2011 02:29:13 +0200, Lukas Fleischer wrote:
Agreed. I'm still against completely disabling HTTP. We will use HTTPs
for all links by default so there shouldn't be any users unintentionally
pasting HTTP links anywhere. Malicious links might still be an issue but
observant users should be aware of that. And using secure cookies should
fix that, anyway.
I didn't tell to disable HTTP. Of course you add a redirect there and
you might even add the HSTS header. It's not only about links, also
people will just typoe in "aur.archlinux.org" into their browser bar and
that will open http by default.
Well, "Redirect all http traffic to https by default" sounded to me like
disabling plain HTTP. Perhaps I took this too literally.
Anyway, I see I am talking to walls here. Sometimes I wonder why there
is so much resistance against encryption. One would think it was the
other way round.
Again, and I'm not going to repeat this... I am not against enabling
encryption and I am not against making it the default. All I said is
that we shouldn't turn down HTTP.
I sadly followed this discussion only remotely when it was ongoing, so I
have to ask: The agreed upon solution for now is to default to http and
only allow login from https? At least that's how it is at the moment and
the http default feels a bit weird to me. When I can only log in with
https I get the feeling I should use https and wonder why it isn't the
default. I had a look at other parts of the Arch Linux website as well,
here's an overview of the defaults:
archlinux.org -> http -> no login anyway
bbs.archlinux.org -> https -> separate login page
wiki.archlinux.org -> https -> separate login page
bugs.archlinux.org -> https -> login on main page
aur.archlinux.org -> http -> login on main page
As you can see, AUR is the fish out of water here, login is on the
arrival page, but you can't log in by default. I'm sorry to make the
suggestion this late, but I'd vote for https as default for AUR.
HTTPs is the default - unless you request the HTTP version explicitly. I
know that some of the navigation bar links aren't updated yet. I sent a
patch for Flyspray to Pierre, and also asked him to update the header
include used in our cgit setup. It should be only a matter of time until
all links are up-to-date.
When I type aur.archlinux.org in firefox I get the http version, that's
what I mean by default. Thanks for your efforts to secure AUR.
Regards,
Philipp
When I visit aur.archlinux.org I get the https version (chromium).
Try to clean your firefox cache...
