On 06.08.2011 13:13, Lukas Fleischer wrote: > On Sat, Aug 06, 2011 at 01:02:03PM +0200, Thomas Bächler wrote: >> Am 05.08.2011 23:54, schrieb Lukas Fleischer: >> > [1] http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57 >> > [2] http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19 >> > [3] http://projects.archlinux.org/aur.git/commit/?id=973e4f85 >> > [4] http://projects.archlinux.org/aur.git/commit/?id=89721137 >> >> Those commits are nothing but a charade. The very least you must do is this: >> >> 1) ALWAYS force a redirect to https on the AUR login page, never allow >> the login to be submitted unencrypted. > > Thought about that. The problem is that there currently isn't a separate > login page. Maybe removing the overall login form and creating a > separate page for that will make things easier. > >> 2) Ensure that the cookie is never sent over http, only over https. > > We discussed that before, see the other replies. This will be > implemented.
Securing the login page itself is quite good and prevents eavesdropping, but it doesn't take care of MITM attacks. If Alice is on http://aur.archlinux.org and clicks on a login link that points to http://aur.archlinux.mallory.com/login.php the browser won't complain about anything and Mallory can easily get access to her password. -- Florian Pritz
signature.asc
Description: OpenPGP digital signature
