Excerpts from Smartboy's message of 2010-10-30 14:08:35 +0200:
On 10/30/2010 04:42 AM, Philipp Überbacher wrote:
Excerpts from Justin Davis's message of 2010-10-29 20:25:26 +0200:
I'm glad I sparked a discussion!
I however am still on the decidedly non-paranoid side. Yes I know how man in the middle attacks work. Yes I understand it's possible. No I don't think it's likely. Basically because there is no money involved. Take that as naivete or ignorance if you want but I'm not jumping on the bandwagon.
Everyone has taken a technical low-level look at the problem but my point of view is a little broader. The AUR security model is so weak as it is. Anyone can upload any package to run arbitrary code on your machine. Just slapping on https as if to say "we're secure now!" doesn't make me feel more secure. If someone wants to mess with me they don't have to hijack my connection they just upload a bad package.
Just to be clear I think the freedom of allowing anyone to upload a package is a good thing and worth the security risk. I haven't been bitten by any malicious packages so far though I usually check them. HTTPS is great, feel free to use it. Switching it to mandatory and telling me how much better off I am seems a bit like evangelism.
I don't think HTTPS is bad I just think forcing everything to HTTPS is a lazier than fixing the login to use HTTPS. Yes people can sniff my session id to just about any site I visit. Session IDs change. Sniffing a password is much more dangerous. Passwords are personal property. Passwords can be reused... like on other ArchLinux sites. Often enough, and AUR is an example, it's sufficient to be logged in to change the current password. Knowing the session ID is thus almost equivalent to knowing the password.
Yes, but one thing keeps coming up in my mind: how many people would actually DO this? It isn't like the AUR is that big a target, most PKGBUILDs aren't that big a target and I doubt a hacker would go out of their way to track one of the maintainers, wait for them to go to a public network, then get their session id. If it were one of the binary repos, I'd understand, but at this point it just seems like Fear, Uncertainty, and Doubt have visited once again.
Smartboy
I don't have strong opinion towards either approach, I just argued that there is not so much difference between sniffing passwords and sessionIDs on AUR. Now that you say maintainers, I wonder how the system works for TUs, since they do upload binary packages. Is there a single sign-on or something like this?