Re: Are http-based password authentications secure?

From: Konrad Rosenbaum <konrad_at_silmor.de>
Date: 2006-04-26 08:27:30 CEST

On Tuesday 25 April 2006 18:53, Scott Lamb wrote:
> And if you're worried about man-in-the-middle attacks, it depends on
> how you set up the *client*. If it allows the server to request basic
> authentication, then "http://" is not secure. I don't think
> Subversion has a way to prevent basic auth from being used (most http
> clients don't), so "https://" is a more secure choice.

As far as I know the protocol digest auth via http does not prevent
man-in-the-middle - it only prevents the man in the middle from snooping
the password - he can still modify the data transmitted.

So maybe the password is transferred securely, but you didn't gain much.

Use https. Todays servers (even the small ones) are strong enough to do the
crypto overhead without complaint.

Konrad

application/pgp-signature attachment: stored

Received on Wed Apr 26 08:28:41 2006

This message: [ Message body ]
Next message: Bart van Kuik: "Subversion revision numbers"
Previous message: Lakshman Srilakshmanan: "RE: Repository file lock info in .svn/entries file"
In reply to: Scott Lamb: "Re: Are http-based password authentications secure?"
Next in thread: Scott Lamb: "Re: Are http-based password authentications secure?"
Reply: Scott Lamb: "Re: Are http-based password authentications secure?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]