[aur-general] Securing the AUR website
Loui Chang
louipc.ist at gmail.com
Sat Aug 6 04:30:09 EDT 2011
On Sat 06 Aug 2011 13:25 +0200, Florian Pritz wrote:
> On 06.08.2011 13:13, Lukas Fleischer wrote:
> > On Sat, Aug 06, 2011 at 01:02:03PM +0200, Thomas Bächler wrote:
> >> Am 05.08.2011 23:54, schrieb Lukas Fleischer:
> >> > [1] http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57
> >> > [2] http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19
> >> > [3] http://projects.archlinux.org/aur.git/commit/?id=973e4f85
> >> > [4] http://projects.archlinux.org/aur.git/commit/?id=89721137
> >>
> >> Those commits are nothing but a charade. The very least you must do is this:
> >>
> >> 1) ALWAYS force a redirect to https on the AUR login page, never allow
> >> the login to be submitted unencrypted.
> >
> > Thought about that. The problem is that there currently isn't a separate
> > login page. Maybe removing the overall login form and creating a
> > separate page for that will make things easier.
> >
> >> 2) Ensure that the cookie is never sent over http, only over https.
> >
> > We discussed that before, see the other replies. This will be
> > implemented.
>
> Securing the login page itself is quite good and prevents eavesdropping,
> but it doesn't take care of MITM attacks.
>
> If Alice is on http://aur.archlinux.org and clicks on a login link that
> points to http://aur.archlinux.mallory.com/login.php the browser won't
> complain about anything and Mallory can easily get access to her password.
This is why the redirects are also a charade.
If Bob requests http://aur.archlinux.org but is redirected to
http://aur.archlinux.frank.org rather than https://aur.archlinux.org
he is probably expecting http anyways and may not bat an eye.
More information about the aur-general
mailing list