RE: svn automatically temporary accept for SSL key?

From: Jason Winnebeck <jpwasp_at_rit.edu>
Date: 2007-07-17 20:39:29 CEST

-----Original Message-----
From: Konrad Rosenbaum [mailto:konrad@silmor.de]

On Tuesday 17 July 2007, timotheus wrote:
> How do I make the svn command automatically select temporary key
> acceptance for https:// method. This appears necessary for cron jobs.

Why temporary?

Do it once manually and accept the SSL-key permanently, then the
cron-job
will not have any problems. There is no valid security reason to accept
a
key temporarily hundreds of times without even seeing it over just
accepting it permanently.

Konrad

------------

Also, if you automatically accept any SSL key, you have eliminated
entirely any security offered by SSL. Just FYI. At least with
self-signed keys that are blindly accepted the first time you get the
same level of security as you might from SSH: you know the server is the
same server as the server from the first connect. With auto-accept, an
attacker can inject any SSL key they desire and then the only thing you
get is encryption to the attacker's machine.

Jason

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Tue Jul 17 20:38:49 2007

This message: [ Message body ]
Next message: Eric Hanchrow: "Re: merge two local working copies"
Previous message: Will Appleton: "Re: Subversion fits for a content management system?"
In reply to: Konrad Rosenbaum: "Re: svn automatically temporary accept for SSL key?"
Next in thread: timotheus: "Re: svn automatically temporary accept for SSL key?"
Reply: timotheus: "Re: svn automatically temporary accept for SSL key?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]