[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Are http-based password authentications secure?

From: Nico Kadel-Garcia <nkadel_at_comcast.net>
Date: 2006-04-28 13:41:07 CEST

Kalin KOZHUHAROV wrote:

> At the moment all three are working solutions and in two of them I
> migrated from HTTPS to plain HTTP because of the performance gains.
> Self-signed certificates are no issue here - I have set up a private
> CA and distributed its cert to the clients.

Kalin, I hope that your system does not even *permit* users to use the same
authentication password for HTTP/Subversion as they do for their email and
user logins. Otherwise, it only takes one idiot setting up a poorly
protected wireless access point to sniff the passwords, or to have a
remotely VPN accessed repository.

There is a performance hit for SSL based traffic, but so far I've seen that
masked by resource limits on the clients, usually RAM on machines that are
running a lot of RAM intensive Windows applications.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Apr 28 13:42:10 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.