[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Are http-based password authentications secure?

From: Scott Lamb <slamb_at_slamb.org>
Date: 2006-04-26 17:42:38 CEST

On Apr 25, 2006, at 11:27 PM, Konrad Rosenbaum wrote:
> On Tuesday 25 April 2006 18:53, Scott Lamb wrote:
>> And if you're worried about man-in-the-middle attacks, it depends on
>> how you set up the *client*. If it allows the server to request basic
>> authentication, then "http://" is not secure. I don't think
>> Subversion has a way to prevent basic auth from being used (most http
>> clients don't), so "https://" is a more secure choice.
>
> As far as I know the protocol digest auth via http does not prevent
> man-in-the-middle - it only prevents the man in the middle from
> snooping
> the password - he can still modify the data transmitted.

I agree.

> So maybe the password is transferred securely, but you didn't gain
> much.

Well, my point is that even if you're only concerned about the
password, telling the server to use digest is not enough. You need to
tell the client not to send its password in plaintext, and https is
the only way to do that now. So my conclusion's the same as yours:
use https.

Being only concerned about the password is not unreasonable. It could
be a password shared with other systems that are much more sensitive.
Thus, even being able to impersonate someone to the Subversion server
might be much less significant than obtaining their password, which
could be used to gain access to the other systems.

> Use https. Todays servers (even the small ones) are strong enough
> to do the
> crypto overhead without complaint.

The human set-up work is a bigger problem. I'm finding lately that a
_lot_ of people don't understand certificate chains, certificate
signing requests, and the like. I haven't found any decent guides on
the web, either. They tend to do everything in a single session,
mixing up the different roles and making it hard to distinguish who
is supposed to have access to what private data.

Regards,
Scott 

-- 
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Apr 26 17:44:54 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.