On Tue, Dec 21, 2004 at 01:11:38AM +0000, Tom Martin wrote:
> Hello!
>
> Background:
>
> We've encountered the following security problem in our company.
> Our repository (containing sensitive data) lives on an dynamic IP.
> Now, one developer connected to a wrong (out-of-date) IP,
> and for accident at this time there was a different host having this IP.
> The svn client (TSVN) popped up the "fingerprint has changed" warning;
> but it seems that many developers (as in this case) simply
> click "ok" onto such buttons not taking such a warning seriously.
> This seems to be a wide-spread behaviour especially for windows-users
> using GUI frontends.
> As consequence, he tried to connect to the wrong server.
> In this case this was no problem because this server had no repository
> on the same location; but "bad guys" might use this for fetching confidental
> data sent by the svn client to the wrong host.
> As often, at the end the human being is the most serious security hole.
> But if there possibilities to protect against lazy users, this is a good
> idea.
>
> Proposal:
>
> A new boolean config entry "ssl-no-promt" for the "servers" config file.
> If the ssl host cannot be authenticated using "ssl-authority-files",
> the svn client fails without promting.
> In contrast to implementing such a feature to each individual svn client,
> this feature automatically would affect all clients.
Sounds like a good idea to me. I realize a lot of people didn't support
this. But this is similar to the StrictHostKeyChecking yes which I use
in ssh myself. Please file an enhancement issue for this.
--
Ben Reser <ben@reser.org>
http://ben.reser.org
"Conscience is the inner voice which warns us somebody may be looking."
- H.L. Mencken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Mar 1 05:32:04 2005