[aur-general] Securing the AUR website

Lukas Fleischer archlinux at cryptocrack.de
Sat Aug 6 08:21:31 EDT 2011


On Sat, Aug 06, 2011 at 02:15:43PM +0200, Florian Pritz wrote:
> On 06.08.2011 13:43, Lukas Fleischer wrote:
> > On Sat, Aug 06, 2011 at 01:25:05PM +0200, Florian Pritz wrote:
> >> On 06.08.2011 13:13, Lukas Fleischer wrote:
> >> > On Sat, Aug 06, 2011 at 01:02:03PM +0200, Thomas Bächler wrote:
> >> >> Am 05.08.2011 23:54, schrieb Lukas Fleischer:
> >> >> > [1] http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57
> >> >> > [2] http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19
> >> >> > [3] http://projects.archlinux.org/aur.git/commit/?id=973e4f85
> >> >> > [4] http://projects.archlinux.org/aur.git/commit/?id=89721137
> >> >> 
> >> >> Those commits are nothing but a charade. The very least you must do is this:
> >> >> 
> >> >> 1) ALWAYS force a redirect to https on the AUR login page, never allow
> >> >> the login to be submitted unencrypted.
> >> > 
> >> > Thought about that. The problem is that there currently isn't a separate
> >> > login page. Maybe removing the overall login form and creating a
> >> > separate page for that will make things easier.
> >> > 
> >> >> 2) Ensure that the cookie is never sent over http, only over https.
> >> > 
> >> > We discussed that before, see the other replies. This will be
> >> > implemented.
> >> 
> >> Securing the login page itself is quite good and prevents eavesdropping,
> >> but it doesn't take care of MITM attacks.
> >> 
> >> If Alice is on http://aur.archlinux.org and clicks on a login link that
> >> points to http://aur.archlinux.mallory.com/login.php the browser won't
> >> complain about anything and Mallory can easily get access to her password.
> > 
> > Mallory could do that whenever he wants to. Even if we use HTTPs for the
> > whole AUR, there could be a MITM attack when the user requests
> > http://archlinux.org/. The only thing that fixes that properly is the
> > SSL certificate itself (and probably only a EV-SSL certificate will make
> > this really easily recognisable).
> 
> Unfortunately that doesn't add any security.
> 
> http://en.wikipedia.org/wiki/Extended_Validation_Certificate#Effectiveness_against_phishing_attacks

Dude, that paper talks about people with "no training in browser
security features". That's people who know nothing about SSL
certificates and cannot even distinguish between the blue and the green
mark that Firefox shows beside the address bar. I doubt this is our
target group. Please don't just paste anything you picked up anywhere.


More information about the aur-general mailing list