[aur-general] Securing the AUR website

Florian Pritz bluewind at xinu.at
Sat Aug 6 07:25:05 EDT 2011


On 06.08.2011 13:13, Lukas Fleischer wrote:
> On Sat, Aug 06, 2011 at 01:02:03PM +0200, Thomas Bächler wrote:
>> Am 05.08.2011 23:54, schrieb Lukas Fleischer:
>> > [1] http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57
>> > [2] http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19
>> > [3] http://projects.archlinux.org/aur.git/commit/?id=973e4f85
>> > [4] http://projects.archlinux.org/aur.git/commit/?id=89721137
>> 
>> Those commits are nothing but a charade. The very least you must do is this:
>> 
>> 1) ALWAYS force a redirect to https on the AUR login page, never allow
>> the login to be submitted unencrypted.
> 
> Thought about that. The problem is that there currently isn't a separate
> login page. Maybe removing the overall login form and creating a
> separate page for that will make things easier.
> 
>> 2) Ensure that the cookie is never sent over http, only over https.
> 
> We discussed that before, see the other replies. This will be
> implemented.

Securing the login page itself is quite good and prevents eavesdropping,
but it doesn't take care of MITM attacks.

If Alice is on http://aur.archlinux.org and clicks on a login link that
points to http://aur.archlinux.mallory.com/login.php the browser won't
complain about anything and Mallory can easily get access to her password.

-- 
Florian Pritz

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.archlinux.org/pipermail/aur-general/attachments/20110806/0f6479d3/attachment.asc>


More information about the aur-general mailing list