[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Auth security for 'http://' (without SSL) based access?

From: Matt England <mengland_at_mengland.net>
Date: 2006-10-07 20:57:29 CEST

(My apologies if this is a faq.)

How secure are authentication artifacts (namely logins and passwords)
during the following commands on a repo that requires login-and-password
authentication for

svn co http://myrepo.com myrepo
cd myrepo
touch a
svn add a
svn ci -m "checking new file namd 'a'"

(Note that it's an 'http://' and not a 'https://' (SSL based) access.)

Is the corresponding password sent in clear text? If so, then said
passwords a quite susceptible to being sniffed, particularly on a wireless
network (it's debatable how hard/easy this is to do on a non-wireless network).

I help manage a public repo (<http://svn.cleversafe.org/dscore/> and
others) that allow anonymous, http-based access. If the above is true, how
can we minimize the possibility of committers updating said repo via
http:// access, other than turning off http:// access or simply asking all
the committers never to checkout via http:// (and only use https://)?

Dispersed storage: http://cleverafe.org

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Oct 7 20:58:15 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.