[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: proposal: config option to prevent password storage

From: Scott Lamb <slamb_at_slamb.org>
Date: 2002-09-23 09:15:08 CEST

Robert Schiele wrote:
>>With `http basic' authentication, worrying about plaintext passwords
>>being stored on the client side has got to be some kind of joke -- the
>>things are flying over the net in cleartext too. Therefore I think
>>the current default is fine :-).
>
> Note that there exist http daemons with ssl encryption for some
> years. Even apache is capable doing that.

Right, but until client-side checking of server SSL certificates is
implemented[*], this only helps so much. I only allow basic auth over
SSL, so I'm not vulnerable to sniffing. But I am vulnerable to trivial
man-in-the-middle attacks.

[*] There's a issue for this somewhere. Whoever implements it will make
me quite happy.

-- 
Scott Lamb
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Sep 23 09:17:37 2002

This is an archived mail posted to the Subversion Dev mailing list.