[aur-general] Securing the AUR website

Matej Ľach matej.lach at gmail.com
Sat Sep 3 12:50:00 EDT 2011 

On 03/09/11 16:49, Gordon JC Pearce wrote:
> On Sat, 03 Sep 2011 15:49:30 +0100
> Matej Ľach<matej.lach at gmail.com>  wrote:
>
>> On 03/09/11 14:55, Gordon JC Pearce wrote:
>>> On Sat, 3 Sep 2011 01:18:58 -0300
>>> rafael ff1<rafael.f.f1 at gmail.com>   wrote:
>>>
>>>> 's' stands for Secure. Maybe security is a good reason.
>>>>
>>> Oh, okay, so you put an "S" in and it waves the magic "secure" stick.  Very good.
>>>
>>> What happens if you're using a password you don't care about for AUR?
>>>
>> If you are using such password then you are putting AUR at risk because
>> if your password can be easily cracked there is a possibility that an
> I didn't say it could be "easily cracked".  I said it's a password that I don't particularly care if I run up against the tiny, vanishingly small chance that anyone is bored enough to somehow tap into my LAN and sniff it.
>
>
>> attacker would be able to compromise the whole AUR service using your
>> Is there any particular problem why you can't/don't want to use HTTPS?
>> If yes, we may be able to help you...
> One is that https is painfully slow over slow or unreliable connections (GPRS springs to mind; 3G service is patchy here).
> The other is that switching to https has left AUR in a fundamentally broken state.  If you search for a package on AUR with any of the significant search engines, they return an http link.  You can't do anything with this, though, because *even if you're logged in* you get the "ZOMG OH NOES YOU AREN'T USING HTTPS AND HTTPS IS TEH AWSUM!!!!11!!11!" message.
> Now, if clicking on that took you *to the same page but with https* that would be fine, but it doesn't.  It unceremoniously dumps you on the index page for AUR, with no way to get back to the package that you googled.
>
> So, the only way to use AUR from (say) Google is to search for a package, click on it, copy the address from the bar, click on the https login link, log in (since even if you're logged in, visiting the http page seems to log you out), then paste the address you got from the search engine into the address bar, edit it to go to https, then hit return.  This is hardly a seamless user experience, but it ought to be trivial to fix.
>
> Sort it the fuck out.
>
> If you want me to put my money where my mouth is and contribute some code, then just ask.
>

""I didn't say it could be "easily cracked".""

I didn't say that you said such thing. It's just my assuming that if you don't care as much about it, it may be more vulnerable...


I am sure devs are working hard to make AUR more secure, but also more useable than before, just give them more time.
You can also use some sort of plugin for your browser that will transfer you form Google to HTTPS AUR automatically.

-- 
Support Free and Open Source Software -- www.fsf.org -- Join Us Today!
     _             _     _     _                    _   _
    / \   _ __ ___| |__ | |   (_)_ __  _   ___  __ | | | |___  ___ _ __
   / _ \ | '__/ __| '_ \| |   | | '_ \| | | \ \/ / | | | / __|/ _ \ '__|
  / ___ \| | | (__| | | | |___| | | | | |_| |>   <   | |_| \__ \  __/ |
/_/   \_\_|  \___|_| |_|_____|_|_| |_|\__,_/_/\_\  \___/|___/\___|_|

                         -- www.matej-lach.net --

More information about the aur-general mailing list