Excerpts from Smartboy's message of 2010-10-30 14:08:35 +0200: > On 10/30/2010 04:42 AM, Philipp Überbacher wrote: > > Excerpts from Justin Davis's message of 2010-10-29 20:25:26 +0200: > >> I'm glad I sparked a discussion! > >> > >> I however am still on the decidedly non-paranoid side. Yes I know how > >> man in the middle attacks work. Yes I understand it's possible. No I > >> don't think it's likely. Basically because there is no money involved. > >> Take that as naivete or ignorance if you want but I'm not jumping on > >> the bandwagon. > >> > >> Everyone has taken a technical low-level look at the problem but my > >> point of view is a little broader. The AUR security model is so weak > >> as it is. Anyone can upload any package to run arbitrary code on your > >> machine. Just slapping on https as if to say "we're secure now!" > >> doesn't make me feel more secure. If someone wants to mess with me > >> they don't have to hijack my connection they just upload a bad > >> package. > >> > >> Just to be clear I think the freedom of allowing anyone to upload a > >> package is a good thing and worth the security risk. I haven't been > >> bitten by any malicious packages so far though I usually check them. > >> HTTPS is great, feel free to use it. Switching it to mandatory and > >> telling me how much better off I am seems a bit like evangelism. > >> > >> I don't think HTTPS is bad I just think forcing everything to HTTPS is > >> a lazier than fixing the login to use HTTPS. Yes people can sniff my > >> session id to just about any site I visit. Session IDs change. > >> Sniffing a password is much more dangerous. Passwords are personal > >> property. Passwords can be reused... like on other ArchLinux sites. > > Often enough, and AUR is an example, it's sufficient to be logged in to > > change the current password. Knowing the session ID is thus almost > > equivalent to knowing the password. > > > Yes, but one thing keeps coming up in my mind: how many people would > actually DO this? It isn't like the AUR is that big a target, most > PKGBUILDs aren't that big a target and I doubt a hacker would go out of > their way to track one of the maintainers, wait for them to go to a > public network, then get their session id. If it were one of the binary > repos, I'd understand, but at this point it just seems like Fear, > Uncertainty, and Doubt have visited once again. > > Smartboy
I don't have strong opinion towards either approach, I just argued that there is not so much difference between sniffing passwords and sessionIDs on AUR. Now that you say maintainers, I wonder how the system works for TUs, since they do upload binary packages. Is there a single sign-on or something like this?