[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: cvs.debian.org problem



On Fri, Jan 31, 2003 at 01:24:45PM +0100, Thomas Wouters wrote:
> On Thu, Jan 30, 2003 at 11:58:59PM -0500, Matt Zimmerman wrote:

> > Currently, the only secure access method for subversion is to use a local
> > repository.  cvs can be quite reasonably secured using rsh-tunneled
> > operation with ssh, while the only network option for subversion is https,
> > and subversion does not verify server certificates, leaving the door open
> > for a man-in-the-middle attack.

> For network access, subversion uses WebDAV (with DeltaV) which is an
> extension of HTTP specifically designed to also work with HTTPS and proxies
> and such. As such, it is as secure from attacks such as man-in-the-middle as
> the SSL implementation.

So the subversion client provides a visible indicator when there's a
certificate path problem, unlike the majority of SSL-enabled text web
browsers?


-- 
Steve Langasek
postmodern programmer

Attachment: pgpJ_GG8_euIp.pgp
Description: PGP signature


Reply to: