On 06.08.2011 13:43, Lukas Fleischer wrote: > On Sat, Aug 06, 2011 at 01:25:05PM +0200, Florian Pritz wrote: >> On 06.08.2011 13:13, Lukas Fleischer wrote: >> > On Sat, Aug 06, 2011 at 01:02:03PM +0200, Thomas Bächler wrote: >> >> Am 05.08.2011 23:54, schrieb Lukas Fleischer: >> >> > [1] http://projects.archlinux.org/aur.git/commit/?id=1e7b9d57 >> >> > [2] http://projects.archlinux.org/aur.git/commit/?id=5ea9fc19 >> >> > [3] http://projects.archlinux.org/aur.git/commit/?id=973e4f85 >> >> > [4] http://projects.archlinux.org/aur.git/commit/?id=89721137 >> >> >> >> Those commits are nothing but a charade. The very least you must do is >> >> this: >> >> >> >> 1) ALWAYS force a redirect to https on the AUR login page, never allow >> >> the login to be submitted unencrypted. >> > >> > Thought about that. The problem is that there currently isn't a separate >> > login page. Maybe removing the overall login form and creating a >> > separate page for that will make things easier. >> > >> >> 2) Ensure that the cookie is never sent over http, only over https. >> > >> > We discussed that before, see the other replies. This will be >> > implemented. >> >> Securing the login page itself is quite good and prevents eavesdropping, >> but it doesn't take care of MITM attacks. >> >> If Alice is on http://aur.archlinux.org and clicks on a login link that >> points to http://aur.archlinux.mallory.com/login.php the browser won't >> complain about anything and Mallory can easily get access to her password. > > Mallory could do that whenever he wants to. Even if we use HTTPs for the > whole AUR, there could be a MITM attack when the user requests > http://archlinux.org/. The only thing that fixes that properly is the > SSL certificate itself (and probably only a EV-SSL certificate will make > this really easily recognisable).
Unfortunately that doesn't add any security. http://en.wikipedia.org/wiki/Extended_Validation_Certificate#Effectiveness_against_phishing_attacks -- Florian Pritz
signature.asc
Description: OpenPGP digital signature
