[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: SVN "Relay"

From: Vallon, Justin <Justin.Vallon_at_deshaw.com>
Date: Mon, 2 Aug 2010 12:31:04 -0400

As far as I can tell, from the "vulnerability":

<<<
GENERATES A FULL SSL CERTIFICATE WHICH THE VICTIM'S BROWSER
WILL PROMPT HIM TO ACCEPT:

webmitm -dd
>>>

The user needs to accept the man-in-the-middle certificate. 

-- 
-Justin
-----Original Message-----
From: Istace Emmanuel [mailto:istace.emmanuel_at_hotmail.com] 
Sent: Monday, August 02, 2010 12:01 PM
To: 'Les Mikesell'
Cc: users_at_subversion.apache.org
Subject: RE: SVN "Relay"
" Can you point me to something specific?"
No problem, here a video (the "fun" side) :
http://www.youtube.com/watch?v=Aak6-B3JORE
An article :
http://forums.remote-exploit.org/tutorials-guides/19852-ssl-spoof-using-wire
shark-decode-ssl-packets.html
"If you are concerned about your service provider maybe you should use
someone else - or a service that lets you run your own system images where
you could set up a blowfish-based vpn."
I haven't choose that :(
But as i say, it's a temporary solution
-----Message d'origine-----
De : Les Mikesell [mailto:lesmikesell_at_gmail.com] 
Envoyé : lundi 2 août 2010 17:07
À : users_at_subversion.apache.org
Objet : Re: SVN "Relay"
On 8/2/2010 8:56 AM, Istace Emmanuel wrote:
> " Should I be worried about banking transactions or credit card orders?"
> Yeah :(
>
> " You could use any kind of VPN you want with the remote site.  Use an 
> IPSEC tunnel between hosts if you don't trust SSL.  Or OpenVPN with
blowfish."
> No, because the SVN is on a SaaS cloud, so we just have access to the 
> service and not the system. So we can't install a VPN server and 
> remember, vpn and ipsec use SSL. Search on google about SSL Spoofing 
> ;)
Can you point me to something specific?  I see things about spoofing some
other site's certificate and some things about specific implementations
being subject to man-in-the-middle attacks but nothing that looks like a
generic weakness.  If you are concerned about your service provider (who
would have the best opportunity to arrange a man-in-the-middle connection),
maybe you should use someone else - or a service that lets you run your own
system images where you could set up a blowfish-based vpn.
--
  Les Mikesell
    lesmikesell_at_gmail.com
Received on 2010-08-02 18:34:05 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.