Auth security for 'http://' (without SSL) based access?

From: Matt England <mengland_at_mengland.net>
Date: 2006-10-07 20:57:29 CEST

(My apologies if this is a faq.)

How secure are authentication artifacts (namely logins and passwords)
during the following commands on a repo that requires login-and-password
authentication for

svn co http://myrepo.com myrepo
cd myrepo
touch a
svn add a
svn ci -m "checking new file namd 'a'"

(Note that it's an 'http://' and not a 'https://' (SSL based) access.)

Is the corresponding password sent in clear text? If so, then said
passwords a quite susceptible to being sniffed, particularly on a wireless
network (it's debatable how hard/easy this is to do on a non-wireless network).

I help manage a public repo (<http://svn.cleversafe.org/dscore/> and
others) that allow anonymous, http-based access. If the above is true, how
can we minimize the possibility of committers updating said repo via
http:// access, other than turning off http:// access or simply asking all
the committers never to checkout via http:// (and only use https://)?

-Matt
Dispersed storage: http://cleverafe.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Sat Oct 7 20:58:15 2006

This message: [ Message body ]
Next message: Christian Unger: "Re: OS X SVN binaries"
Previous message: Giovanni Bajo: "Re: Is my implementation too large for SVN?"
Next in thread: Andy Levy: "Re: Auth security for 'http://' (without SSL) based access?"
Reply: Andy Levy: "Re: Auth security for 'http://' (without SSL) based access?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]