RE: Re: plaintext passwords - my 0.02c

I am fully aware of that Subversion does not store plaintext passwords on Windows. My point is that the FAQ item doesn't say that.

It doesn't say anything about the current and planned work.

It does say, quoting here, "Nobody's cared enough to to [sic.] do this for Subversion yet..."

This "old data" is, in fact, the official FAQ for the project, and that carries weight with people evaluating software. You are absolutely correct: every point I made was invalid - and every point is taken from what the FAQ item says. That's precisely why it should be changed.

That other problems may exist (e.g., passwords in cookies) in other software does not mitigate the fact that this problem exists. That's a red herring, and immaterial to a security review of Subversion.

Cheers,
Stuart

________________________________________
From: Jeremy Whitlock [mailto:jcscoobyrs@gmail.com]
Sent: Tuesday, July 18, 2006 10:21 PM
To: users@subversion.tigris.org
Subject: Re: plaintext passwords - my 0.02c

Stuart,
    Just so you know, clear-text passwords are not the case for Windows and will not be the case for Mac OS X as of the 1.4.0 release.  Linux would still be a problem but I don't think this is a reason not to use Subversion.  Also, you say that people don't care about this issue and apparently they do because Windows already encrypts creds and Mac will in a few weeks when 1.4.0 is release.  Linux isn't getting the short end of the stick either as support for them is being worked on.

    I really do not think that using old data to formulate a reason not to use Subversion is not a good thing to do especially on the list.  Every point you brought up was invalid.  I think there are bigger fish to fry at whatever company you work for with managing the internet browser.  Clear text user credentials are stored in cookies all of the time and since physical compromise is an issue to you, you might want to look at other programs that store user credentials to complain about.

Take care,

Jeremy
On 7/18/06, Stuart Celarier <SCelarier@corillian.com> wrote:
I'm with you, Paul. Subversion *is* a hard sell to folks with 'Security'
in their job titles.

The FAQ entry on plaintext passwords is probably the single biggest deal
breaker for many serious security reviews. Read it.

http://subversion.tigris.org/faq.html#plaintext-passwords

I'm focusing solely on what the FAQ says, not whether it is correct or
up to date. Here's a summary of what it says to a cynical, paranoid,
risk-mitigation kind of guy whose job it is to say "No" -- you know the
type.

1. Trust the OS to protect the data. Sure, until the OS is compromised,
as if that never happens. These developers sound like rank amateurs on
security matters.

2. If you don't want passwords stored in plaintext, you have the option
of not storing passwords at all. Bad options lead to bad decisions:
given the opportunity to choose the lesser of two evils, people often
choose the path of least resistance regardless of the evil involved. Not
good.

3. Aw, heck, all my friends are doing it, worse actually, so what's the
problem? The fallacy here is no one said that CVS set the security
standard for Subversion to match or best.

3a. And no one cares about this problem enough to do anything about it.
If I do, I can send in a patch. It can't be easy if no one's done it
yet. And I need a version control system now, not next quarter or next
year.

Four reasons to say no; no reasons to say yes. Case closed.

I suggest that rewriting this FAQ item to be more security savvy could
go a long way to reducing the perception -- true or not -- that
Subversion developers don't take security seriously.

Stuart Celarier | Corillian Corporation

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Jul 19 08:00:17 2006