Hello!
Background:
We've encountered the following security problem in our company.
Our repository (containing sensitive data) lives on an dynamic IP.
Now, one developer connected to a wrong (out-of-date) IP,
and for accident at this time there was a different host having this IP.
The svn client (TSVN) popped up the "fingerprint has changed" warning;
but it seems that many developers (as in this case) simply
click "ok" onto such buttons not taking such a warning seriously.
This seems to be a wide-spread behaviour especially for windows-users
using GUI frontends.
As consequence, he tried to connect to the wrong server.
In this case this was no problem because this server had no repository
on the same location; but "bad guys" might use this for fetching confidental
data sent by the svn client to the wrong host.
As often, at the end the human being is the most serious security hole.
But if there possibilities to protect against lazy users, this is a good
idea.
Proposal:
A new boolean config entry "ssl-no-promt" for the "servers" config file.
If the ssl host cannot be authenticated using "ssl-authority-files",
the svn client fails without promting.
In contrast to implementing such a feature to each individual svn client,
this feature automatically would affect all clients.
Thanks!
Tom
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Dec 21 02:13:32 2004