[aur-general] Securing the AUR website
Thomas Bächler
thomas at archlinux.org
Sat Aug 6 07:02:03 EDT 2011
Am 05.08.2011 23:54, schrieb Lukas Fleischer:
> [1] http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57
> [2] http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19
> [3] http://projects.archlinux.org/aur.git/commit/?id=973e4f85
> [4] http://projects.archlinux.org/aur.git/commit/?id=89721137
Those commits are nothing but a charade. The very least you must do is this:
1) ALWAYS force a redirect to https on the AUR login page, never allow
the login to be submitted unencrypted.
2) Ensure that the cookie is never sent over http, only over https.
Everything less than that is completely irresponsible.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20110806/586a653a/attachment.asc>
More information about the aur-general
mailing list