Re: Are http-based password authentications secure?

From: Nico Kadel-Garcia <nkadel_at_comcast.net>
Date: 2006-04-28 13:41:07 CEST

Kalin KOZHUHAROV wrote:

> At the moment all three are working solutions and in two of them I
> migrated from HTTPS to plain HTTP because of the performance gains.
> Self-signed certificates are no issue here - I have set up a private
> CA and distributed its cert to the clients.

Kalin, I hope that your system does not even *permit* users to use the same
authentication password for HTTP/Subversion as they do for their email and
user logins. Otherwise, it only takes one idiot setting up a poorly
protected wireless access point to sniff the passwords, or to have a
remotely VPN accessed repository.

There is a performance hit for SSL based traffic, but so far I've seen that
masked by resource limits on the clients, usually RAM on machines that are
running a lot of RAM intensive Windows applications.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Fri Apr 28 13:42:10 2006

This message: [ Message body ]
Next message: Nico Kadel-Garcia: "Re: Adding to a repository without initial import dangerous?"
Previous message: Bill Williams: "Re: Large Repository .vs Many Smaller ones.."
In reply to: Kalin KOZHUHAROV: "Re: Are http-based password authentications secure?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]