[aur-general] aur website default ssl

Philipp Überbacher hollunder at lavabit.com
Sat Oct 30 08:30:58 EDT 2010


Excerpts from Smartboy's message of 2010-10-30 14:08:35 +0200:
> On 10/30/2010 04:42 AM, Philipp Überbacher wrote:
> > Excerpts from Justin Davis's message of 2010-10-29 20:25:26 +0200:
> >> I'm glad I sparked a discussion!
> >>
> >> I however am still on the decidedly non-paranoid side. Yes I know how
> >> man in the middle attacks work. Yes I understand it's possible. No I
> >> don't think it's likely. Basically because there is no money involved.
> >> Take that as naivete or ignorance if you want but I'm not jumping on
> >> the bandwagon.
> >>
> >> Everyone has taken a technical low-level look at the problem but my
> >> point of view is a little broader. The AUR security model is so weak
> >> as it is. Anyone can upload any package to run arbitrary code on your
> >> machine. Just slapping on https as if to say "we're secure now!"
> >> doesn't make me feel more secure. If someone wants to mess with me
> >> they don't have to hijack my connection they just upload a bad
> >> package.
> >>
> >> Just to be clear I think the freedom of allowing anyone to upload a
> >> package is a good thing and worth the security risk. I haven't been
> >> bitten by any malicious packages so far though I usually check them.
> >> HTTPS is great, feel free to use it. Switching it to mandatory and
> >> telling me how much better off I am seems a bit like evangelism.
> >>
> >> I don't think HTTPS is bad I just think forcing everything to HTTPS is
> >> a lazier than fixing the login to use HTTPS. Yes people can sniff my
> >> session id to just about any site I visit. Session IDs change.
> >> Sniffing a password is much more dangerous. Passwords are personal
> >> property. Passwords can be reused... like on other ArchLinux sites.
> > Often enough, and AUR is an example, it's sufficient to be logged in to
> > change the current password. Knowing the session ID is thus almost
> > equivalent to knowing the password.
> >
> Yes, but one thing keeps coming up in my mind: how many people would 
> actually DO this? It isn't like the AUR is that big a target, most 
> PKGBUILDs aren't that big a target and I doubt a hacker would go out of 
> their way to track one of the maintainers, wait for them to go to a 
> public network, then get their session id. If it were one of the binary 
> repos, I'd understand, but at this point it just seems like Fear, 
> Uncertainty, and Doubt have visited once again.
> 
> Smartboy

I don't have strong opinion towards either approach, I just argued that
there is not so much difference between sniffing passwords and
sessionIDs on AUR.

Now that you say maintainers, I wonder how the system works for TUs,
since they do upload binary packages. Is there a single sign-on or
something like this?



More information about the aur-general mailing list