Re: Security flaw: subversion stores passwords by default

Blair Zajac schrieb:
>
> See
>
> http://subversion.tigris.org/faq.html#plaintext-passwords
> http://svnbook.red-bean.com/nightly/en/svn.serverconfig.netmodel.html#svn.serverconfig.netmodel.credcache
>

Thanks, but I am pretty much aware of this.

This does not make it any less insecure. On the contrary: This is
insecure by design. If many people have
complained before, and the authors still intentionally keep such flaws,
what is their idea of security?

Just read that:

  " Trust your OS to protect data on disk."

That's nonsense. What do they believe why passwords stored by the
operating system are usually hashed and salted?

What makes them believe that exactly that OS will be in place all time?

That sort of approach is really silly. If you can't do it in a secure
way, than don't do it at all (at least not without explicit user consent).

The really bad thing about this is that it not just compromises
subversion, but can compromise the security of the whole LAN.

Absolutely bad design.

regards
Hadmut

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_subversion.tigris.org
For additional commands, e-mail: users-help_at_subversion.tigris.org
Received on 2008-03-20 01:02:48 CET