On Sat 06 Aug 2011 02:18 +0200, Lukas Fleischer wrote: > On Sat, Aug 06, 2011 at 01:16:45AM +0300, Ionut Biru wrote: > > On 08/06/2011 12:54 AM, Lukas Fleischer wrote: > > > > >> > > >>To prevent session hijacking, mtm attacks or whatnot I'd recommend the > > >>following: > > >>* Redirect all http traffic to https by default > > > > > >We won't do that. HTTPs will be the default but we won't force users to > > >use HTTPs. If you decide to use HTTP intentionally, we won't prevent you > > >from doing so. HTTPs implies an unnecessary overhead and there's no > > >point in forcing everybody to use HTTPs even if one doesn't even have an > > >AUR account. > > > > That reason is a bit childish. We had this discussion 1 year ago and > > only you and Loui were against. > > > > Seriously now, why you are against https? Do you use some aur helper > > that is broken and uses http and cannot handle redirect well? > > Dude, please stick to the facts. Iirc, I didn't even interfere in the > last HTTPs discussion and I nowhere mentioned being against HTTPs. I am > totally for making HTTPs the default, I'm just against enforcing it. As > you can see, I even committed a few patches replacing all links the AUR > ever spits out by HTTPs ones. Everything else is only a matter of server > configuration and I am against disabling plain HTTP here. > > Is there any *real* reason to do that? Even archweb doesn't do that and > I don't understand the concerns here. Every half-attentive should be > perfectly fine with how we do it in current master. And in case you're > really, really paranoid, just setup a proxy that blocks HTTP connections > to the AUR.
If I recall correctly some time after that debate/argument there was a problem with certificates and wget - a problem that was supposedly impossible. Anyways, the redirect is Really God Damned Annoying. If I ask for HTTP please give me HTTP. If I ask for ssl on top give me that. Please don't employ hacky rules in the web server config. That redirect is subject to a MITM attack just as well. A user might not even notice that they've been redirected to another site. If you really want to promote security don't even respond to requests on port 80. I agree that encryption should be recommended, but not forced.
