You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@archiva.apache.org by "Adrian Hempel, Atlassian (JIRA)" <ji...@codehaus.org> on 2008/06/03 03:01:54 UTC
[jira] Commented: (MRM-821) Encrypt network proxy password on
archiva.xml
[ http://jira.codehaus.org/browse/MRM-821?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=137156#action_137156 ]
Adrian Hempel, Atlassian commented on MRM-821:
----------------------------------------------
I'm concerned that doing this would only provide the appearance of security, rather than actual security. Providing a false sense of security can be worse than no security at all.
Archiva needs the cleartext password to send to the proxy, so it would need to use reversible encryption, rather than the kind of one-way hash function that is typically used to protect password files. The decryption algorithm would be freely available, as it would be in the Archiva code, which is available to anyone. So, anyone with access to the file and basic Java skills would be able to decrypt your password without too much difficulty.
Instead, you should protect your Archiva configuration with appropriate file system permissions.
> Encrypt network proxy password on archiva.xml
> ---------------------------------------------
>
> Key: MRM-821
> URL: http://jira.codehaus.org/browse/MRM-821
> Project: Archiva
> Issue Type: Improvement
> Components: remote proxy
> Affects Versions: 1.0.2
> Environment: ANY
> Reporter: Felipe Requeno
>
> It is common to most of companies to provide Internet Services through network proxies. But it is unlikely to have anonymous access on such nodes.
> Archiva stores passwords in a plain text format, generating a security risk or security flaw.
> It is really critical to have a encrypted password on Archiva's configuration file.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira