[aur-general] aur website default ssl

Lukas Fleischer archlinux at cryptocrack.de
Sat Oct 30 11:57:42 EDT 2010


On Sat, Oct 30, 2010 at 08:47:59AM -0700, Justin Davis wrote:
> If the password is used in more than one place and sniffed out, then
> not only is the user's AUR account compromised but also other accounts
> on other websites. It is easier to run a sniffing program that are
> already setup to search POST form data for the parameter name
> "password" (or something similar) instead of targeting the AUR
> specifically and looking for the "AURSID" cookie.
> 
> If the password is the same for the user's email account, the hacker
> just has to look the email up on the AUR and go from there. They can
> also cross-reference the email to other accounts.

This is one reason to never ever use a password twice.


More information about the aur-general mailing list