Subversion authentication security issue (svnserve, MITM)
From: Navrotskiy Artem <bozaro_at_ya.ru>
Date: Fri, 16 Jan 2015 10:35:46 +0300
Subversion includes many types of connection:
* svnserve - plain password over network
In the case of svnserver default instead of the password hash is transmitted over the network, and this configuration looks like a safe.
Configuration svnserver + ssh even in local network adds more overhead to establish the connection (I have 0.3 seconds per connection). Console svn client reconnects too often (eg, svn status -u A.txt B.txt C.txt produces 6 serial connections).
As a solution to this problem, it seems reasonable wrapping svnserver protocol SSL.
This is an archived mail posted to the Subversion Dev mailing list.