[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: svn automatically temporary accept for SSL key?

From: Jason Winnebeck <jpwasp_at_rit.edu>
Date: 2007-07-17 20:39:29 CEST

-----Original Message-----
From: Konrad Rosenbaum [mailto:konrad@silmor.de]

On Tuesday 17 July 2007, timotheus wrote:
> How do I make the svn command automatically select temporary key
> acceptance for https:// method. This appears necessary for cron jobs.

Why temporary?

Do it once manually and accept the SSL-key permanently, then the
cron-job
will not have any problems. There is no valid security reason to accept
a
key temporarily hundreds of times without even seeing it over just
accepting it permanently.

        Konrad

------------

Also, if you automatically accept any SSL key, you have eliminated
entirely any security offered by SSL. Just FYI. At least with
self-signed keys that are blindly accepted the first time you get the
same level of security as you might from SSH: you know the server is the
same server as the server from the first connect. With auto-accept, an
attacker can inject any SSL key they desire and then the only thing you
get is encryption to the attacker's machine.

Jason

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 17 20:38:49 2007

This is an archived mail posted to the Subversion Users mailing list.