[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Are http-based password authentications secure?

From: Mike.Brenner <mikeb_at_mitre.org>
Date: 2006-04-27 13:30:56 CEST

Hi Nico,

Certainly none of those REQUIRE http.

However, I take it that you grant Kalin's
point that http "is useful" (read "as safe
and faster") than https IN THOSE 3
circumstances?

If you don't, I wonder how you recommend
sending stuff to non-certificated people?

As a particular example, the website
cvsdude sets up an svn server
for you for $10 per month via
http, or $30 per month via https.
Do you recommend: always spend the extra
$20 per month?

Nico Kadel-Garcia wrote:
> Not a single one of these require HTTP instead of HTTPS. There's just no
> excuse for it, except possibly that you don't want people whining that
> "I have to click to accept the unsigned key because you're too cheap to
> buy us an authenticated SSL key, boo-hoo".
>
> It's like sending people passwords via email. It's so dangerous in so
> many cases that there's just no excuse for doing it, even when it's
> relatively safe.

Kalin Kozhuharov wrote:
>> ... a few examples where http is useful:
>> 1. A VPN endpoint and SVN/HTTP server on the same machine, no acces
>> except through the (encrypted) VPN
>> 2. A physically secure and isolated (from the Net) LAN
>> 3. Anonymous (RO) public repositories

Nico Kadel-Garcia wrote:
>>> ... HTTP should frankly never be used. ...

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Apr 27 13:32:22 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.