[aur-general] Securing the AUR website

Lukas Fleischer archlinux at cryptocrack.de
Sat Aug 6 08:07:34 EDT 2011


On Sat, Aug 06, 2011 at 01:40:38PM +0200, Pierre Schmitz wrote:
> On Sat, 6 Aug 2011 04:30:09 -0400, Loui Chang wrote:
> > This is why the redirects are also a charade.
> > If Bob requests http://aur.archlinux.org but is redirected to
> > http://aur.archlinux.frank.org rather than https://aur.archlinux.org
> > he is probably expecting http anyways and may not bat an eye.
> 
> HSTS tries to address this issue. At least regular users will be
> secured by using this.

That is crap. HSTS alone won't fix this at all. If the response to the
first HTTP request is already injected, the browser won't even see the
HSTS headers at all. As a said before, the certificate itself is the
only feature that allows for checking authenticity here.


More information about the aur-general mailing list