[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Are http-based password authentications secure?

From: Kalin KOZHUHAROV <kalin_at_thinrope.net>
Date: 2006-04-27 16:29:20 CEST

Nico Kadel-Garcia wrote:
> Mike.Brenner wrote:
>> Hi Nico,
>>
>> Certainly none of those REQUIRE http.
>>
>> However, I take it that you grant Kalin's point that http "is useful"
>> (read "as safe and faster") than https IN THOSE 3 circumstances?
That is exactly what I meant...
[unsnip the examples]

Kalin Kozhuharov wrote:
>> ... a few examples where http is useful:
>> 1. A VPN endpoint and SVN/HTTP server on the same machine, no acces
>> except through the (encrypted) VPN
>> 2. A physically secure and isolated (from the Net) LAN
>> 3. Anonymous (RO) public repositories

> Those circumstances are so limited as to be useless.
At the moment all three are working solutions and in two of them I
migrated from HTTPS to plain HTTP because of the performance gains.
Self-signed certificates are no issue here - I have set up a private CA
and distributed its cert to the clients.

> *SURE*, you don't much need a seatbelt if you never leave your
> driveway. But just as soon as someone needs access from off-site, or
> as soon as you're connecting via VPN from someone's off-site location
> where the VPN client is not the Subversion client itself, or as soon
> as some script kiddie gets access to your wireless network because
> you're using WEP instead of WAP or are careless with your WAP keys,
> you're toast.
Although I always use a my seatbelt and it has saved me once from very
real death, it does not make me drive slower or hinder me in any way.
And when I buy a rally car one day, believe me it will have the most
advanced seatbelt system. But for normal cars - normal seatbelts are
enough. For the above 3 situatuions, HTTP is enough.

And actually, now that I am thingk about it, in most of the deployments
there are both HTTP and HTTPS servers running, just that the HTTP access
is limited to the safe paths and get used 99% of the time.
 
>> If you don't, I wonder how you recommend sending stuff to
>> non-certificated people?
>
> Usually with a self-signed certificate. Most clients will accept them
> gracefully once you've accepted the certificate the first time: wget
> and the command line svn are a bit annoying with the whinging about
> it, but it's understandable with the security model that SSL was
> conceived for, which is host authentication as well as end-to-end
> encryption.

>> As a particular example, the website cvsdude sets up an svn server
>> for you for $10 per month via http, or $30 per month via https. Do
>> you recommend: always spend the extra $20 per month?
>
> Look again. You're comparing apples to oranges: the difference between
> $10/month and $22/month includes 5 times the disk space, 3 times the
> number of accounts, WebSVN access, a private Bugzilla, etc., etc., etc.
>
> CVSdude is an interesting service. But using HTTP vs. HTTPS for a public
> site is so amazingly stupid that I cannot imagine what the company was
> thinking.
Yes, I agree that providing RW SVN access on the I'net does require
HTTPS. Providing RO (and probably anonymous) SVN service is perfectly
OK.

Kalin.

-- 
|[ ~~~~~~~~~~~~~~~~~~~~~~ ]|
+-> http://ThinRope.net/ <-+
|[ ______________________ ]|
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Apr 27 16:32:07 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.