[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: 0.29.0 - PKCS12 Certificates Only?

From: Brian Mathis <bmathis_at_directedge.com>
Date: 2003-09-08 23:42:07 CEST

Yes, when dealing with paypsl.com you need this level of security, but
we're not talking about credit cards and bank statements here.

If I'm a sysadmin who runs both the svn server and supports the clients,
and know what conditions it's being used and when, there's a very low
likelyhood someone is going to target my humble svn server to attack and
overwrite my keys, or hijaak the network, or whatever.

If you want to be a security snob, that's fine - and I usually agree
with that level of security. But you have to realize that "security" is
not all or nothing, there are different degrees of it.

To summarize my point:
-. You really REALLY should be using fully authenticated certificates
-. You should not bypass security measures if possible
-. SSL is not completely useless if you don't use signed keys, it just
has a large benefit/safety reduced.
-. Some encryption is better than nothing at all

Security If you don't do it all
is stupid |---A-----------|-----M--------U| it's not worth doing

I hope that line comes through:
U: Clearly your position on the matter
A: The level you seem to think I'm arguing to
M: The level I actually am arguing to.

Mukund wrote:
> On Mon, Sep 08, 2003 at 05:00:26PM -0400, Brian Mathis wrote:
>>Well, not the *very* objective, but one of them. You'll still get
>>encrypted traffic on the wire. Yes, a man in the middle attack is still
>>possible, but that takes much more effort than simply setting up tcpdump.
>
> Encryption and authenticity go hand in hand. You implement authentication
> first, then encryption. There is no such thing as SSL without proving
> authenticity. Encrypted traffic without authenticity is meaningless. You
> can just as well send your credit card details to amaz00n.com instead of
> amazon.com without authentication, although your traffic is encrypted.
>
> I'll get into this conversation when you are past setting up snake oil
> security. I apologize if I sound rude.. not my intention. Read up.

-- 
Brian Mathis
http://www.directedge.com/b/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Mon Sep 8 23:44:46 2003

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.