[aur-general] aur website default ssl

PyroPeter abi1789 at googlemail.com
Thu Oct 28 11:00:40 EDT 2010


On 10/28/2010 08:59 AM, Justin Davis wrote:
> On Wed, Oct 27, 2010 at 5:14 AM, Pierre Schmitz<pierre at archlinux.de>  wrote:
>> On Wed, 27 Oct 2010 11:40:19 +0300, Ionuț Bîru<ibiru at archlinux.org>
>> wrote:
>>> As i said earlier in a reply to Loui, maybe we can do it
>>> better.Having https only for login and then redirecting to http is
>>> like not having it at all.
>
> Ionut,
> This is a ridiculous claim. Maybe we should tell that to amazon,
> newegg, and oh I don't know... 99% of websites on the planet? Most
> sites use https only for logins and transactions. Publicly available
> information like aur comments, aur packages, images, etc don't really
> need encryption. Just about everything sent to/from the AUR is not
> sensitive information. Except login passwords. I would be pissed off
> if amazon had the same point of view. What if amazon decided that
> their https for logins and credit cards was the same as not having it
> at all and removed it?

Your browser sends your session-id with every request. It would be
extremely easy to sniff the session-id, configure your browser to use
if, and do malicious actions.

This also works if the AUR associates session-ids with the IP of the
user: The attacker could use the same NAT-gateway as the user.

Regards, PyroPeter
-- 
freenode/pyropeter                          "12:50 - Ich drücke Return."


More information about the aur-general mailing list