[aur-general] Securing the AUR website
Baptiste
zerstorer at free.fr
Sat Sep 3 10:40:55 EDT 2011
On Sat, Sep 03, 2011 at 02:55:50PM +0100, Gordon JC Pearce wrote:
> On Sat, 3 Sep 2011 01:18:58 -0300
> rafael ff1 <rafael.f.f1 at gmail.com> wrote:
>
> >
> > 's' stands for Secure. Maybe security is a good reason.
> >
>
> Oh, okay, so you put an "S" in and it waves the magic "secure" stick. Very good.
>
> What happens if you're using a password you don't care about for AUR?
This is by no way an argument... What happens if *at least* one person
cares about its AUR password out there? And anyway, having an AUR
account hijacked could be damageable to a lot of people.
And would you really be ok if someone popped up a fake AUR website
at your browser? (let's say in Syria...) Obviously, your browser won't
notice anything if you're using plain old HTTP.
And seriously, you must be logging in to a bunch of website every day
(be it your webmail, your Twitter/G+/whatever); are you really,
deliberately using HTTP there? If you lived in China, Libya or Syria,
you wouldn't...
The current SSL system has some weaknesses, most notably being forced
to trust a tremendous amount of CAs. But then, why stick to something
that's more than 15 years old, when there is an alternative that
offers you encryption and makes sure that you talk to the real server?
--
"C'est mieux, mais il y a plus cher ailleurs" :
____ _ _ _ _ ___ _
/ ___| \ | | | | | / / | (_)_ __ _ ___ __
| | _| \| | | | |/ /| | | | '_ \| | | \ \/ /
| |_| | |\ | |_| / / | |___| | | | | |_| |> <
\____|_| \_|\___/_/ |_____|_|_| |_|\__,_/_/\_\
GNU/Linux fan && Archlinux user
More information about the aur-general
mailing list