[aur-general] aur website default ssl

Smartboy smartboyathome at gmail.com
Sat Oct 30 08:08:35 EDT 2010


On 10/30/2010 04:42 AM, Philipp Überbacher wrote:
> Excerpts from Justin Davis's message of 2010-10-29 20:25:26 +0200:
>> I'm glad I sparked a discussion!
>>
>> I however am still on the decidedly non-paranoid side. Yes I know how
>> man in the middle attacks work. Yes I understand it's possible. No I
>> don't think it's likely. Basically because there is no money involved.
>> Take that as naivete or ignorance if you want but I'm not jumping on
>> the bandwagon.
>>
>> Everyone has taken a technical low-level look at the problem but my
>> point of view is a little broader. The AUR security model is so weak
>> as it is. Anyone can upload any package to run arbitrary code on your
>> machine. Just slapping on https as if to say "we're secure now!"
>> doesn't make me feel more secure. If someone wants to mess with me
>> they don't have to hijack my connection they just upload a bad
>> package.
>>
>> Just to be clear I think the freedom of allowing anyone to upload a
>> package is a good thing and worth the security risk. I haven't been
>> bitten by any malicious packages so far though I usually check them.
>> HTTPS is great, feel free to use it. Switching it to mandatory and
>> telling me how much better off I am seems a bit like evangelism.
>>
>> I don't think HTTPS is bad I just think forcing everything to HTTPS is
>> a lazier than fixing the login to use HTTPS. Yes people can sniff my
>> session id to just about any site I visit. Session IDs change.
>> Sniffing a password is much more dangerous. Passwords are personal
>> property. Passwords can be reused... like on other ArchLinux sites.
> Often enough, and AUR is an example, it's sufficient to be logged in to
> change the current password. Knowing the session ID is thus almost
> equivalent to knowing the password.
>
Yes, but one thing keeps coming up in my mind: how many people would 
actually DO this? It isn't like the AUR is that big a target, most 
PKGBUILDs aren't that big a target and I doubt a hacker would go out of 
their way to track one of the maintainers, wait for them to go to a 
public network, then get their session id. If it were one of the binary 
repos, I'd understand, but at this point it just seems like Fear, 
Uncertainty, and Doubt have visited once again.

Smartboy


More information about the aur-general mailing list