[aur-general] Securing the AUR website
bluewind at xinu.at
Sat Aug 6 08:15:43 EDT 2011
On 06.08.2011 13:43, Lukas Fleischer wrote:
> On Sat, Aug 06, 2011 at 01:25:05PM +0200, Florian Pritz wrote:
>> On 06.08.2011 13:13, Lukas Fleischer wrote:
>> > On Sat, Aug 06, 2011 at 01:02:03PM +0200, Thomas Bächler wrote:
>> >> Am 05.08.2011 23:54, schrieb Lukas Fleischer:
>> >> >  http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57
>> >> >  http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19
>> >> >  http://projects.archlinux.org/aur.git/commit/?id=973e4f85
>> >> >  http://projects.archlinux.org/aur.git/commit/?id=89721137
>> >> Those commits are nothing but a charade. The very least you must do is this:
>> >> 1) ALWAYS force a redirect to https on the AUR login page, never allow
>> >> the login to be submitted unencrypted.
>> > Thought about that. The problem is that there currently isn't a separate
>> > login page. Maybe removing the overall login form and creating a
>> > separate page for that will make things easier.
>> >> 2) Ensure that the cookie is never sent over http, only over https.
>> > We discussed that before, see the other replies. This will be
>> > implemented.
>> Securing the login page itself is quite good and prevents eavesdropping,
>> but it doesn't take care of MITM attacks.
>> If Alice is on http://aur.archlinux.org and clicks on a login link that
>> points to http://aur.archlinux.mallory.com/login.php the browser won't
>> complain about anything and Mallory can easily get access to her password.
> Mallory could do that whenever he wants to. Even if we use HTTPs for the
> whole AUR, there could be a MITM attack when the user requests
> http://archlinux.org/. The only thing that fixes that properly is the
> SSL certificate itself (and probably only a EV-SSL certificate will make
> this really easily recognisable).
Unfortunately that doesn't add any security.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: OpenPGP digital signature
More information about the aur-general