Re: Are http-based password authentications secure?

From: Scott Lamb <slamb_at_slamb.org>
Date: 2006-04-25 18:53:19 CEST

On Apr 24, 2006, at 3:28 PM, Garrett Rooney wrote:
> On 4/24/06, Matt England <mengland@mengland.net> wrote:
>> Are authentication passwords given to update a repo that is
>> checked out via
>> "http://" vs "https://" secure, in the sense that their
>> transmission is
>> encrypted?
>
> It depends on how you set up apache. If you use basic auth no, you
> need https to encrypt them, if you use digest auth, then yes, they are
> encrypted on the wire.

And if you're worried about man-in-the-middle attacks, it depends on
how you set up the *client*. If it allows the server to request basic
authentication, then "http://" is not secure. I don't think
Subversion has a way to prevent basic auth from being used (most http
clients don't), so "https://" is a more secure choice.

-- 
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org

Received on Tue Apr 25 18:54:38 2006

This message: [ Message body ]
Next message: Rafael Caceres: "Re: https: access gives: Can't set position pointer in file"
Previous message: Frank Gruman: "Re: svn for SQL Server's Stored procedures?"
In reply to: Garrett Rooney: "Re: Are http-based password authentications secure?"
Next in thread: Konrad Rosenbaum: "Re: Are http-based password authentications secure?"
Reply: Konrad Rosenbaum: "Re: Are http-based password authentications secure?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]