[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Are http-based password authentications secure?

From: Scott Lamb <slamb_at_slamb.org>
Date: 2006-04-25 18:53:19 CEST

On Apr 24, 2006, at 3:28 PM, Garrett Rooney wrote:
> On 4/24/06, Matt England <mengland@mengland.net> wrote:
>> Are authentication passwords given to update a repo that is
>> checked out via
>> "http://" vs "https://" secure, in the sense that their
>> transmission is
>> encrypted?
>
> It depends on how you set up apache. If you use basic auth no, you
> need https to encrypt them, if you use digest auth, then yes, they are
> encrypted on the wire.

And if you're worried about man-in-the-middle attacks, it depends on
how you set up the *client*. If it allows the server to request basic
authentication, then "http://" is not secure. I don't think
Subversion has a way to prevent basic auth from being used (most http
clients don't), so "https://" is a more secure choice.

-- 
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Apr 25 18:54:38 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.