[aur-general] Securing the AUR website
pierre at archlinux.de
Sat Aug 6 08:17:57 EDT 2011
On Sat, 6 Aug 2011 14:07:34 +0200, Lukas Fleischer wrote:
> On Sat, Aug 06, 2011 at 01:40:38PM +0200, Pierre Schmitz wrote:
>> On Sat, 6 Aug 2011 04:30:09 -0400, Loui Chang wrote:
>> > This is why the redirects are also a charade.
>> > If Bob requests http://aur.archlinux.org but is redirected to
>> > http://aur.archlinux.frank.org rather than https://aur.archlinux.org
>> > he is probably expecting http anyways and may not bat an eye.
>> HSTS tries to address this issue. At least regular users will be
>> secured by using this.
> That is crap. HSTS alone won't fix this at all. If the response to the
> first HTTP request is already injected, the browser won't even see the
> HSTS headers at all. As a said before, the certificate itself is the
> only feature that allows for checking authenticity here.
Neither I nor the HSTS website tells you that this is about securing
the first http request. That's why I said this will only secure regular
users. Also you should note that this is only a small step to make
things a little more secure.
Anyway; this is going nowhere. So if the TUs and AUR users prefer less
security somehow there is not much I can do about it. All arguments
haven been described so now it's up to you to decide whether to ignore
them or not.
Pierre Schmitz, https://users.archlinux.de/~pierre
More information about the aur-general