[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] Obfuscate auth info

From: Bruce Elrick <bruce_at_elrick.ca>
Date: 2006-10-19 16:53:26 CEST

On 10/19/06, Alex Holst <a@mongers.org> wrote:
>
> Quoting Karl Fogel (kfogel@red-bean.com):
> > In the meantime, obfuscating the auth data seems like an unambiguous
> > win to me:
> >
> > 1. Organizations that currently don't adopt Subversion because of
> > this (and there are some) will now be willing to adopt it. More
> > users is good. They understand that it's still cleartext, but
> > they want to at least avoid accidental compromises.
>
> You are kind of proving my point here, Karl. If storing a plain text
> password is enough to keep users from migrating to subversion,
> obfuscation of auth data is clearly perceived (by some decision makers)
> as a security benefit at some level, even when it's not one.

I think that's a straw man. The users are not complaining about the
password being easily gotten by bad guys, they are complaining about it not
being easy for good guys to avoid seeing the password. This is meant to
allow the latter and makes no claims to prevent the former.

Bruce

-- 
Bruce Elrick
bruce@elrick.ca
bruce.elrick@gmail.com
Received on Thu Oct 19 16:53:56 2006

This is an archived mail posted to the Subversion Dev mailing list.