[aur-general] aur website default ssl
Philipp Überbacher
hollunder at lavabit.com
Sat Oct 30 12:01:19 EDT 2010
Excerpts from Justin Davis's message of 2010-10-30 17:47:59 +0200:
> On Sat, Oct 30, 2010 at 4:42 AM, Philipp Überbacher
> <hollunder at lavabit.com> wrote:
> >
> > Often enough, and AUR is an example, it's sufficient to be logged in to
> > change the current password. Knowing the session ID is thus almost
> > equivalent to knowing the password.
> >
>
> If the password is used in more than one place and sniffed out, then
> not only is the user's AUR account compromised but also other accounts
> on other websites. It is easier to run a sniffing program that are
> already setup to search POST form data for the parameter name
> "password" (or something similar) instead of targeting the AUR
> specifically and looking for the "AURSID" cookie.
>
> If the password is the same for the user's email account, the hacker
> just has to look the email up on the AUR and go from there. They can
> also cross-reference the email to other accounts.
Thus 'almost equivalent'.
The one difference in any case is that he has to set a new password in
the session ID case, which I guess isn't a lot of work. The other,
possible, difference I thought of was exactly what you mentioned.
It's funny that even on this technical list the term hacker is used :)
More information about the aur-general
mailing list