Excerpts from Thomas Bächler's message of 2011-09-01 14:16:20 +0200: > Am 01.09.2011 13:01, schrieb Lukas Fleischer: > >>>> archlinux.org -> http -> no login anyway > >>>> bbs.archlinux.org -> https -> separate login page > >>>> wiki.archlinux.org -> https -> separate login page > >>>> bugs.archlinux.org -> https -> login on main page > >>>> aur.archlinux.org -> http -> login on main page > >>>> > >>>> As you can see, AUR is the fish out of water here, login is on the > >>>> arrival page, but you can't log in by default. I'm sorry to make the > >>>> suggestion this late, but I'd vote for https as default for AUR. > >>> > >>> HTTPs is the default - unless you request the HTTP version explicitly. I > >>> know that some of the navigation bar links aren't updated yet. I sent a > >>> patch for Flyspray to Pierre, and also asked him to update the header > >>> include used in our cgit setup. It should be only a matter of time until > >>> all links are up-to-date. > >> > >> When I type aur.archlinux.org in firefox I get the http version, that's > >> what I mean by default. Thanks for your efforts to secure AUR. > > > > Yeah, you request the HTTP version (your browser does this automatically > > if you skip the protocol part), so this is kind of expected behaviour. > > We could introduce an HTTPs redirect for the AUR home page. Not sure if > > that is the right thing to do, though. > > I'd like to remind everyone again that Arch Linux is now included in the > https-everywhere default rules, see [1]. This will always redirect you > to https on every Arch Linux site (even releng, www, planet, where it > isn't actually needed). > > [1] https://www.eff.org/https-everywhere/
Do I understand it correctly that https-everywhere goes through a lot of trouble (browser-plugin with whitelist and custom rules for every page) for what could be achieved by simply defaulting to https?