You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Matt England <me...@mengland.net> on 2006/04/24 22:20:12 UTC
Are http-based password authentications secure?
Are authentication passwords given to update a repo that is checked out via
"http://" vs "https://" secure, in the sense that their transmission is
encrypted?
-Matt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
svncopy (was: Propset on non wc elements)
Posted by Phil Endecott <sp...@chezphil.org>.
Gary Wolfe <gp...@nextomt.com> wrote:
> Excuse me if I have missed any discussion about this. But is there any hope
> that propset could support working directly on repository elements?
For a while I have been using the svncopy contrib script to tag releases containing externals. svncopy behaves much like "svn copy", but has a flag that tells it to freeze the versions of externals during the copy.
svncopy has a couple of disadvantages. One is that it creates a temporary working copy; this involves a lot of network activity over my cable-modem, much of it in the slow upstream direction. But I can live with this as I don't do it very often. Another problem is that it doesn't do exactly what I want with the directory structure. Typically, I want to copy from "trunk" to "tags/releases/1.2.3", but I end up with "tags/releases/1.2.3/trunk" and have to fix it up afterwards.
To avoid both of these issues I have been considering going back to "svn copy" and freezing the externals in a second step. To do this, I need to recursively "svn propget" on the directories in the repository to find the externals, and then "svn propset" to freeze the versions. This seems to need the same missing propset-on-repository function.
Since it doesn't look like this is going to happen anytime soon, I wonder if anyone can suggest any other strategies that might work?
--Phil.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Propset on non wc elements.
Posted by Ryan Schmidt <su...@ryandesign.com>.
On Apr 26, 2006, at 18:28, Gary Wolfe wrote:
> Excuse me if I have missed any discussion about this. But is there
> any hope
> that propset could support working directly on repository elements?
>
> Seems very inefficient to have to check out the entire branch/tag
> to add a
> property to the branch/tag directory.
http://subversion.tigris.org/issues/show_bug.cgi?id=2238
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Propset on non wc elements.
Posted by Gary Wolfe <gp...@nextomt.com>.
Greetings,
Excuse me if I have missed any discussion about this. But is there any hope
that propset could support working directly on repository elements?
Seems very inefficient to have to check out the entire branch/tag to add a
property to the branch/tag directory.
Thanks,
--Gary
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Are http-based password authentications secure?
Posted by Scott Lamb <sl...@slamb.org>.
On Apr 25, 2006, at 11:27 PM, Konrad Rosenbaum wrote:
> On Tuesday 25 April 2006 18:53, Scott Lamb wrote:
>> And if you're worried about man-in-the-middle attacks, it depends on
>> how you set up the *client*. If it allows the server to request basic
>> authentication, then "http://" is not secure. I don't think
>> Subversion has a way to prevent basic auth from being used (most http
>> clients don't), so "https://" is a more secure choice.
>
> As far as I know the protocol digest auth via http does not prevent
> man-in-the-middle - it only prevents the man in the middle from
> snooping
> the password - he can still modify the data transmitted.
I agree.
> So maybe the password is transferred securely, but you didn't gain
> much.
Well, my point is that even if you're only concerned about the
password, telling the server to use digest is not enough. You need to
tell the client not to send its password in plaintext, and https is
the only way to do that now. So my conclusion's the same as yours:
use https.
Being only concerned about the password is not unreasonable. It could
be a password shared with other systems that are much more sensitive.
Thus, even being able to impersonate someone to the Subversion server
might be much less significant than obtaining their password, which
could be used to gain access to the other systems.
> Use https. Todays servers (even the small ones) are strong enough
> to do the
> crypto overhead without complaint.
The human set-up work is a bigger problem. I'm finding lately that a
_lot_ of people don't understand certificate chains, certificate
signing requests, and the like. I haven't found any decent guides on
the web, either. They tend to do everything in a single session,
mixing up the different roles and making it hard to distinguish who
is supposed to have access to what private data.
Regards,
Scott
--
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Are http-based password authentications secure?
Posted by Konrad Rosenbaum <ko...@silmor.de>.
On Tuesday 25 April 2006 18:53, Scott Lamb wrote:
> And if you're worried about man-in-the-middle attacks, it depends on
> how you set up the *client*. If it allows the server to request basic
> authentication, then "http://" is not secure. I don't think
> Subversion has a way to prevent basic auth from being used (most http
> clients don't), so "https://" is a more secure choice.
As far as I know the protocol digest auth via http does not prevent
man-in-the-middle - it only prevents the man in the middle from snooping
the password - he can still modify the data transmitted.
So maybe the password is transferred securely, but you didn't gain much.
Use https. Todays servers (even the small ones) are strong enough to do the
crypto overhead without complaint.
Konrad
Re: Are http-based password authentications secure?
Posted by Scott Lamb <sl...@slamb.org>.
On Apr 24, 2006, at 3:28 PM, Garrett Rooney wrote:
> On 4/24/06, Matt England <me...@mengland.net> wrote:
>> Are authentication passwords given to update a repo that is
>> checked out via
>> "http://" vs "https://" secure, in the sense that their
>> transmission is
>> encrypted?
>
> It depends on how you set up apache. If you use basic auth no, you
> need https to encrypt them, if you use digest auth, then yes, they are
> encrypted on the wire.
And if you're worried about man-in-the-middle attacks, it depends on
how you set up the *client*. If it allows the server to request basic
authentication, then "http://" is not secure. I don't think
Subversion has a way to prevent basic auth from being used (most http
clients don't), so "https://" is a more secure choice.
--
Scott Lamb <http://www.slamb.org/>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Are http-based password authentications secure?
Posted by Garrett Rooney <ro...@electricjellyfish.net>.
On 4/24/06, Matt England <me...@mengland.net> wrote:
> Are authentication passwords given to update a repo that is checked out via
> "http://" vs "https://" secure, in the sense that their transmission is
> encrypted?
It depends on how you set up apache. If you use basic auth no, you
need https to encrypt them, if you use digest auth, then yes, they are
encrypted on the wire.
-garrett
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Are http-based password authentications secure?
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
Kalin KOZHUHAROV wrote:
> At the moment all three are working solutions and in two of them I
> migrated from HTTPS to plain HTTP because of the performance gains.
> Self-signed certificates are no issue here - I have set up a private
> CA and distributed its cert to the clients.
Kalin, I hope that your system does not even *permit* users to use the same
authentication password for HTTP/Subversion as they do for their email and
user logins. Otherwise, it only takes one idiot setting up a poorly
protected wireless access point to sniff the passwords, or to have a
remotely VPN accessed repository.
There is a performance hit for SSL based traffic, but so far I've seen that
masked by resource limits on the clients, usually RAM on machines that are
running a lot of RAM intensive Windows applications.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Are http-based password authentications secure?
Posted by Kalin KOZHUHAROV <ka...@thinrope.net>.
Nico Kadel-Garcia wrote:
> Mike.Brenner wrote:
>> Hi Nico,
>>
>> Certainly none of those REQUIRE http.
>>
>> However, I take it that you grant Kalin's point that http "is useful"
>> (read "as safe and faster") than https IN THOSE 3 circumstances?
That is exactly what I meant...
[unsnip the examples]
Kalin Kozhuharov wrote:
>> ... a few examples where http is useful:
>> 1. A VPN endpoint and SVN/HTTP server on the same machine, no acces
>> except through the (encrypted) VPN
>> 2. A physically secure and isolated (from the Net) LAN
>> 3. Anonymous (RO) public repositories
> Those circumstances are so limited as to be useless.
At the moment all three are working solutions and in two of them I
migrated from HTTPS to plain HTTP because of the performance gains.
Self-signed certificates are no issue here - I have set up a private CA
and distributed its cert to the clients.
> *SURE*, you don't much need a seatbelt if you never leave your
> driveway. But just as soon as someone needs access from off-site, or
> as soon as you're connecting via VPN from someone's off-site location
> where the VPN client is not the Subversion client itself, or as soon
> as some script kiddie gets access to your wireless network because
> you're using WEP instead of WAP or are careless with your WAP keys,
> you're toast.
Although I always use a my seatbelt and it has saved me once from very
real death, it does not make me drive slower or hinder me in any way.
And when I buy a rally car one day, believe me it will have the most
advanced seatbelt system. But for normal cars - normal seatbelts are
enough. For the above 3 situatuions, HTTP is enough.
And actually, now that I am thingk about it, in most of the deployments
there are both HTTP and HTTPS servers running, just that the HTTP access
is limited to the safe paths and get used 99% of the time.
>> If you don't, I wonder how you recommend sending stuff to
>> non-certificated people?
>
> Usually with a self-signed certificate. Most clients will accept them
> gracefully once you've accepted the certificate the first time: wget
> and the command line svn are a bit annoying with the whinging about
> it, but it's understandable with the security model that SSL was
> conceived for, which is host authentication as well as end-to-end
> encryption.
>> As a particular example, the website cvsdude sets up an svn server
>> for you for $10 per month via http, or $30 per month via https. Do
>> you recommend: always spend the extra $20 per month?
>
> Look again. You're comparing apples to oranges: the difference between
> $10/month and $22/month includes 5 times the disk space, 3 times the
> number of accounts, WebSVN access, a private Bugzilla, etc., etc., etc.
>
> CVSdude is an interesting service. But using HTTP vs. HTTPS for a public
> site is so amazingly stupid that I cannot imagine what the company was
> thinking.
Yes, I agree that providing RW SVN access on the I'net does require
HTTPS. Providing RO (and probably anonymous) SVN service is perfectly
OK.
Kalin.
--
|[ ~~~~~~~~~~~~~~~~~~~~~~ ]|
+-> http://ThinRope.net/ <-+
|[ ______________________ ]|
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Are http-based password authentications secure?
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
Mike.Brenner wrote:
> Hi Nico,
>
> Certainly none of those REQUIRE http.
>
> However, I take it that you grant Kalin's
> point that http "is useful" (read "as safe
> and faster") than https IN THOSE 3
> circumstances?
Those circumstances are so limited as to be useless. *SURE*, you don't much
need a seatbelt if you never leave your driveway. But just as soon as
someone needs access from off-site, or as soon as you're connecting via VPN
from someone's off-site location where the VPN client is not the Subversion
client itself, or as soon as some script kiddie gets access to your wireless
network because you're using WEP instead of WAP or are careless with your
WAP keys, you're toast.
> If you don't, I wonder how you recommend
> sending stuff to non-certificated people?
Usually with a self-signed certificate. Most clients will accept them
gracefully once you've accepted the certificate the first time: wget and the
command line svn are a bit annoying with the whinging about it, but it's
understandable with the security model that SSL was conceived for, which is
host authentication as well as end-to-end encryption.
> As a particular example, the website
> cvsdude sets up an svn server
> for you for $10 per month via
> http, or $30 per month via https.
> Do you recommend: always spend the extra
> $20 per month?
Look again. You're comparing apples to oranges: the difference between
$10/month and $22/month includes 5 times the disk space, 3 times the number
of accounts, WebSVN access, a private Bugzilla, etc., etc., etc.
CVSdude is an interesting service. But using HTTP vs. HTTPS for a public
site is so amazingly stupid that I cannot imagine what the company was
thinking.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Are http-based password authentications secure?
Posted by "Mike.Brenner" <mi...@mitre.org>.
Hi Nico,
Certainly none of those REQUIRE http.
However, I take it that you grant Kalin's
point that http "is useful" (read "as safe
and faster") than https IN THOSE 3
circumstances?
If you don't, I wonder how you recommend
sending stuff to non-certificated people?
As a particular example, the website
cvsdude sets up an svn server
for you for $10 per month via
http, or $30 per month via https.
Do you recommend: always spend the extra
$20 per month?
Nico Kadel-Garcia wrote:
> Not a single one of these require HTTP instead of HTTPS. There's just no
> excuse for it, except possibly that you don't want people whining that
> "I have to click to accept the unsigned key because you're too cheap to
> buy us an authenticated SSL key, boo-hoo".
>
> It's like sending people passwords via email. It's so dangerous in so
> many cases that there's just no excuse for doing it, even when it's
> relatively safe.
Kalin Kozhuharov wrote:
>> ... a few examples where http is useful:
>> 1. A VPN endpoint and SVN/HTTP server on the same machine, no acces
>> except through the (encrypted) VPN
>> 2. A physically secure and isolated (from the Net) LAN
>> 3. Anonymous (RO) public repositories
Nico Kadel-Garcia wrote:
>>> ... HTTP should frankly never be used. ...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Are http-based password authentications secure?
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
Kalin KOZHUHAROV wrote:
> Nico Kadel-Garcia wrote:
>> Matt England wrote:
>>> Are authentication passwords given to update a repo that is checked
>>> out via "http://" vs "https://" secure, in the sense that their
>>> transmission is encrypted?
>
>> Via HTTPS, yes. via HTTP, no. This is why HTTP should frankly never
>> be used.
>
> Well, let me give you a few examples where http is useful:
> 1. A VPN endpoint and SVN/HTTP server on the same machine, no acces
> except through the (encrypted) VPN
> 2. A physically secure and isolated (from the Net) LAN
> 3. Anonymous (RO) public repositories
>
> Just my 3 yen :-)
>
> Kalin.
Not a single one of these require HTTP instead of HTTPS. There's just no
excuse for it, except possibly that you don't want people whining that "I
have to click to accept the unsigned key because you're too cheap to buy us
an authenticated SSL key, boo-hoo".
It's like sending people passwords via email. It's so dangerous in so many
cases that there's just no excuse for doing it, even when it's relatively
safe.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Are http-based password authentications secure?
Posted by Kalin KOZHUHAROV <ka...@thinrope.net>.
Nico Kadel-Garcia wrote:
> Matt England wrote:
>> Are authentication passwords given to update a repo that is checked
>> out via "http://" vs "https://" secure, in the sense that their
>> transmission is encrypted?
> Via HTTPS, yes. via HTTP, no. This is why HTTP should frankly never be
> used.
Well, let me give you a few examples where http is useful:
1. A VPN endpoint and SVN/HTTP server on the same machine, no acces except through the (encrypted) VPN
2. A physically secure and isolated (from the Net) LAN
3. Anonymous (RO) public repositories
Just my 3 yen :-)
Kalin.
--
|[ ~~~~~~~~~~~~~~~~~~~~~~ ]|
+-> http://ThinRope.net/ <-+
|[ ______________________ ]|
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Are http-based password authentications secure?
Posted by Nico Kadel-Garcia <nk...@comcast.net>.
Matt England wrote:
> Are authentication passwords given to update a repo that is checked
> out via "http://" vs "https://" secure, in the sense that their
> transmission is encrypted?
>
> -Matt
Via HTTPS, yes. via HTTP, no. This is why HTTP should frankly never be used.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org