[aur-general] aur website default ssl

Justin Davis jrcd83 at gmail.com
Fri Oct 29 14:25:26 EDT 2010


I'm glad I sparked a discussion!

I however am still on the decidedly non-paranoid side. Yes I know how
man in the middle attacks work. Yes I understand it's possible. No I
don't think it's likely. Basically because there is no money involved.
Take that as naivete or ignorance if you want but I'm not jumping on
the bandwagon.

Everyone has taken a technical low-level look at the problem but my
point of view is a little broader. The AUR security model is so weak
as it is. Anyone can upload any package to run arbitrary code on your
machine. Just slapping on https as if to say "we're secure now!"
doesn't make me feel more secure. If someone wants to mess with me
they don't have to hijack my connection they just upload a bad
package.

Just to be clear I think the freedom of allowing anyone to upload a
package is a good thing and worth the security risk. I haven't been
bitten by any malicious packages so far though I usually check them.
HTTPS is great, feel free to use it. Switching it to mandatory and
telling me how much better off I am seems a bit like evangelism.

I don't think HTTPS is bad I just think forcing everything to HTTPS is
a lazier than fixing the login to use HTTPS. Yes people can sniff my
session id to just about any site I visit. Session IDs change.
Sniffing a password is much more dangerous. Passwords are personal
property. Passwords can be reused... like on other ArchLinux sites.

-- 
-Justin


More information about the aur-general mailing list