Re: proposal: config option to prevent password storage

From: Scott Lamb <slamb_at_slamb.org>
Date: 2002-09-23 09:15:08 CEST

Robert Schiele wrote:
>>With `http basic' authentication, worrying about plaintext passwords
>>being stored on the client side has got to be some kind of joke -- the
>>things are flying over the net in cleartext too. Therefore I think
>>the current default is fine :-).
>
> Note that there exist http daemons with ssl encryption for some
> years. Even apache is capable doing that.

Right, but until client-side checking of server SSL certificates is
implemented[*], this only helps so much. I only allow basic auth over
SSL, so I'm not vulnerable to sniffing. But I am vulnerable to trivial
man-in-the-middle attacks.

[*] There's a issue for this somewhere. Whoever implements it will make
me quite happy.

-- 
Scott Lamb
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Mon Sep 23 09:17:37 2002

This message: [ Message body ]
Next message: Kean Johnston: "Another introduction"
Previous message: Kean Johnston: "Success: SCO OpenServer 5.0.7"
In reply to: Robert Schiele: "Re: proposal: config option to prevent password storage"
Next in thread: Robert Schiele: "Re: proposal: config option to prevent password storage"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]